Scribd
Upload
3 views4 pages

14-Administrator Accounts

The document outlines the management of administrator accounts on the FortiManager unit, detailing local and remote authentication methods, including two-factor authentication. It describes the various administrator profiles that dictate access levels and permissions, as well as the importance of setting trusted hosts to enhance security by restricting administrative access to specified IP addresses or subnets. Additionally, it explains the roles of restricted and system administrators, emphasizing the need for sufficient privileges to manage profiles and access permissions.

Uploaded by

getinet.admassu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3 views4 pages

14-Administrator Accounts

The document outlines the management of administrator accounts on the FortiManager unit, detailing local and remote authentication methods, including two-factor authentication. It describes the various administrator profiles that dictate access levels and permissions, as well as the importance of setting trusted hosts to enhance security by restricting administrative access to specified IP addresses or subnets. Additionally, it explains the roles of restricted and system administrators, emphasizing the need for sufficient privileges to manage profiles and access permissions.

Uploaded by

getinet.admassu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Administrator Accounts:

Administrator accounts are used to control access to the FortiManager unit. Local and remote
authentication is supported, as well as two-factor authentication. Other administrative
accounts can be created as needed full or read-only access. To create a new administrator
account, you must be logged in to an account with sufficient privileges, or as a super user
administrator. Only administrators with the Super_User profile can see the complete
administrators list. If you do not have certain viewing permissions, you will not see the
administrator list. When ADOMs are enabled, administrators can only access the ADOMs they
have permission to access.

Admin Authentication:
Instead of creating local administrators, where logins are validated by FortiManager, you can
configure external servers to validate your administrator logins. You can use RADIUS, LDAP,
TACACS+, and PKI as means of verifying the administrator credentials. The FortiManager system
supports authentication of administrators locally, remotely with RADIUS, LDAP, or TACACS+
servers, and using PKI. Remote authentication servers can also be added to authentication
groups that administrators can use for authentication.
To use remote authentication servers, you must configure the appropriate server entries in the
FortiManager unit for each authentication server in your network. New LDAP remote
authentication servers can be added and linked to all ADOMs or specific ADOMs.

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


Administrator Profiles:
In order to efficiently administer your system, FortiManager comes with five pre-installed
default profiles that you can assign to other administrative users. Administrator profiles define
administrator permissions and are required for each administrative account. Administrator
profiles define different types of administrators and the level of access they have to the
FortiManager unit, as well as the devices registered to it. Administrator profiles are used to
control administrator access privileges to devices or system features. Profiles are assigned to
administrator accounts when an administrator is created. The profile controls access to both
the FortiManager GUI and CLI.
You can assign the default profiles to administrative accounts, or you can modify the individual
permissions associated with each default profile. Alternatively, you can create your own custom
profile. These profiles cannot be deleted, but standard and restricted profiles can be edited.
New profiles can also be created as required. Only super user administrators can manage
administrator profiles.
Package_User Provides read and write access to policy package & objects
permissions, but read-only access for system and other permissions.
Restricted_User Provides read-only access to device permissions, but not system
permissions.
Standard_User Provides read and write access to device permissions, but no system
permissions.
Super_User Provides access to all device & system permissions, such as FortiGate.
No_Permission_User No system or device privileges enabled.

Go to System Settings > Admin > Profile to view and manage administrator profiles.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


Type of Administrator Profiles:
Restricted Administrators:
Restricted administrator accounts are used to delegate management of Web Filter, IPS, and
Application Control profiles, and then install those objects to their assigned ADOM. For the
Restricted Admin type, you can create a new restricted administrator profile to allow the
delegated administrator to make changes to the web filtering profile, IPS sensor, and
application sensor associated with their ADOM. Restricted administrators cannot be used when
workflow mode is enabled.

System Admin:
For the System Admin type, you can modify one of the predefined profiles, or create a custom
profile. Only administrators with full system permissions can modify administrator profiles.
Depending on the nature of the administrator’s work, access level, or seniority, you can allow
them to view and configure as much, or as little, as required.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


Trusted Hosts:
Setting trusted hosts for all of your administrators increases the security of your network by
further restricting administrative permissions. In addition to knowing the password, an
administrator must connect only through the subnet or subnets you specify. In addition to
controlling administrative access through administrator profiles, you can further control access
by setting up trusted hosts for each administrative user. This restricts administrators to logins
from specific IP addresses or subnets only. You can even restrict an administrator to a single IP
address if you define only one trusted host IP address.
When you set trusted hosts for all administrators, the FortiManager unit does not respond to
administrative access attempts from any other hosts. This provides the highest security. If you
leave even one administrator unrestricted, the unit accepts administrative access attempts on
any interface that has administrative access enabled, potentially exposing the unit to attempts
to gain unauthorized access. The trusted hosts you define apply to both the GUI and to the CLI
when accessed through SSH. CLI access through the console connector is not affected.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

You might also like