Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

System access

To adjust system access settings:
  1. Go to System > Administration > System Access. The Edit System Access Settings page will open.

  2. The following settings are available:
    Administrative Access
    Require strong cryptography Enable this option to restrict administrative access using stronger cryptographic algorithms, such as TLS 1.2, DHE, AES, and SHA256.
    Enable pre-authentication warning message Pre-authentication warning messages can be found under Authentication > Portals > Replacement Messages.
    CLI Access
      CLI idle timeout Enter the amount of time before the CLI times out due to inactivity, from 0 to 480 minutes (maximum of eight hours).
    GUI Access

     

    Site title

    Specify the string to display as the page title in web browsers. The following variables are available for the construction of the string:

    • {{:hostname}}: Host name

    • {{:fqdn}}: Device FQDN

    The default is set to FortiAuthenticator.

      GUI idle timeout Enter the amount of time before the GUI times out due to inactivity, from 1 to 480 minutes (maximum of eight hours).
      Maximum HTTP header length Enter the maximum HTTP header length, from 4 to 16 KB.
      HTTPS Certificate Select an HTTPS certificate from the dropdown menu.
      HTTP Strict Transport Security (HSTS) Expiry Enable or disable HSTS enforcement, to avoid SSL sniffing attacks, and set an expiry from 0 to 730 days (where 0 means no expiry, maximum of two years). The default is set to 180.
      Certificate authority type Select the selected certificate’s authority type, either Local CA or Trusted CA.
      CA certificate that issued the server certificate Select the issuing server certificate from the dropdown menu.

     

    Allow all hosts/domain names

    Enable to allow all the hosts/domain names.

      Additional allowed hosts/domain names

    Specify any additional hosts that this site can serve, separated by commas or line breaks.

    This option is only available when Allow all hosts/domain names is disabled.

      Public IP/FQDN for FortiToken Mobile

    Enter the IP, or FQDN, of the FortiAuthenticator for external access.

    The mobile device running the FortiToken Mobile app requires access to the FortiAuthenticator interface for push to operate.

    Enter the IPs/FQDNs in the following format:
    ip_addr[:port] or FQDN[:port]

    Self-Service Portal Access Control Settings

     

    Username input format

    Select one of the following three username input formats:

    • username@realm

    • realm\username

    • realm/username

    Note: When authenticating against the default realm, the realm name is optional.

     

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

     

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.

    • Select whether or not to allow local users to override remote users for the selected realm.

    • Edit the group filter as needed to filter users based on the groups they are in.

    • If necessary, add more realms to the list.

    • Select the realm that will be the default realm for this client.

    REST API

     

    Restrict number of requests to

    Enter the maximum number of REST API requests sent, from 1 to 2880 requests. The default is set to 360.

     

    For duration

    Enter the amount of time for which the maximum number of requests is restricted, from 1 to 480 minutes. The default is set to 60.

  3. Select OK to apply any changes. See Certificate management for more information about certificates.

System access

To adjust system access settings:
  1. Go to System > Administration > System Access. The Edit System Access Settings page will open.

  2. The following settings are available:
    Administrative Access
    Require strong cryptography Enable this option to restrict administrative access using stronger cryptographic algorithms, such as TLS 1.2, DHE, AES, and SHA256.
    Enable pre-authentication warning message Pre-authentication warning messages can be found under Authentication > Portals > Replacement Messages.
    CLI Access
      CLI idle timeout Enter the amount of time before the CLI times out due to inactivity, from 0 to 480 minutes (maximum of eight hours).
    GUI Access

     

    Site title

    Specify the string to display as the page title in web browsers. The following variables are available for the construction of the string:

    • {{:hostname}}: Host name

    • {{:fqdn}}: Device FQDN

    The default is set to FortiAuthenticator.

      GUI idle timeout Enter the amount of time before the GUI times out due to inactivity, from 1 to 480 minutes (maximum of eight hours).
      Maximum HTTP header length Enter the maximum HTTP header length, from 4 to 16 KB.
      HTTPS Certificate Select an HTTPS certificate from the dropdown menu.
      HTTP Strict Transport Security (HSTS) Expiry Enable or disable HSTS enforcement, to avoid SSL sniffing attacks, and set an expiry from 0 to 730 days (where 0 means no expiry, maximum of two years). The default is set to 180.
      Certificate authority type Select the selected certificate’s authority type, either Local CA or Trusted CA.
      CA certificate that issued the server certificate Select the issuing server certificate from the dropdown menu.

     

    Allow all hosts/domain names

    Enable to allow all the hosts/domain names.

      Additional allowed hosts/domain names

    Specify any additional hosts that this site can serve, separated by commas or line breaks.

    This option is only available when Allow all hosts/domain names is disabled.

      Public IP/FQDN for FortiToken Mobile

    Enter the IP, or FQDN, of the FortiAuthenticator for external access.

    The mobile device running the FortiToken Mobile app requires access to the FortiAuthenticator interface for push to operate.

    Enter the IPs/FQDNs in the following format:
    ip_addr[:port] or FQDN[:port]

    Self-Service Portal Access Control Settings

     

    Username input format

    Select one of the following three username input formats:

    • username@realm

    • realm\username

    • realm/username

    Note: When authenticating against the default realm, the realm name is optional.

     

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

     

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.

    • Select whether or not to allow local users to override remote users for the selected realm.

    • Edit the group filter as needed to filter users based on the groups they are in.

    • If necessary, add more realms to the list.

    • Select the realm that will be the default realm for this client.

    REST API

     

    Restrict number of requests to

    Enter the maximum number of REST API requests sent, from 1 to 2880 requests. The default is set to 360.

     

    For duration

    Enter the amount of time for which the maximum number of requests is restricted, from 1 to 480 minutes. The default is set to 60.

  3. Select OK to apply any changes. See Certificate management for more information about certificates.