Fortinet black logo

Administration Guide

System access

System access

To adjust system access settings:
  1. Go to System > Administration > System Access. The Edit System Access Settings page will open.

  2. The following settings are available:
    Administrative Access
    Require strong cryptography

    Enable this option to restrict administrative access using stronger cryptographic algorithms.

    FortiAuthenticator supports the following cryptographic protocols:

    • TLS 1.2: AES128/256 GCM/CBC, SHA256/384, DHE2048, and ECDHx25519.

    • TLS 1.3: AES128/256 GCM, SHA256/384, and ECDHx25519.

    Enable pre-authentication warning messagePre-authentication warning messages can be found under Authentication > Portals > Replacement Messages.
    CLI Access
    CLI idle timeoutEnter the amount of time before the CLI times out due to inactivity, from 0 to 480 minutes (maximum of eight hours).
    GUI Access

    Site title

    Specify the string to display as the page title in web browsers. The following variables are available for the construction of the string:

    • {{:hostname}}: Host name

    • {{:fqdn}}: Device FQDN

    The default is set to FortiAuthenticator.

    GUI idle timeoutEnter the amount of time before the GUI times out due to inactivity, from 1 to 480 minutes (maximum of eight hours).
    Maximum HTTP header lengthEnter the maximum HTTP header length, from 4 to 16 KB.
    HTTPS CertificateSelect an HTTPS certificate from the dropdown menu.
    HTTP Strict Transport Security (HSTS) ExpiryEnable or disable HSTS enforcement, to avoid SSL sniffing attacks, and set an expiry from 0 to 730 days (where 0 means no expiry, maximum of two years). The default is set to 180.
    Certificate authority typeSelect the selected certificate’s authority type, either Local CA or Trusted CA.
    CA certificate that issued the server certificateSelect the issuing server certificate from the dropdown menu.

    Allow all hosts/domain names

    Enable to allow all the hosts/domain names.

    Additional allowed hosts/domain names

    Specify any additional hosts that this site can serve, separated by commas or line breaks.

    This option is only available when Allow all hosts/domain names is disabled.

    Public IP/FQDN for FortiToken Mobile

    Enter the IP, or FQDN, of the FortiAuthenticator for external access.

    The mobile device running the FortiToken Mobile app requires access to the FortiAuthenticator interface for push to operate.

    Enter the IPs/FQDNs in the following format:
    ip_addr[:port] or FQDN[:port]

    Legacy Self-Service Portal And OAuth Access Control Settings

    Username input format

    Select one of the following three username input formats:

    • username@realm

    • realm\username

    • realm/username

    Note: When authenticating against the default realm, the realm name is optional.

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.

    • Select whether or not to allow local users to override remote users for the selected realm.

    • Edit the group filter as needed to filter users based on the groups they are in.

    • If necessary, add more realms to the list.

    • Select the realm that will be the default realm for this client.

    REST API

    Restrict number of requests to

    Enter the maximum number of REST API requests sent, from 1 to 2880 requests. The default is set to 360.

    For duration

    Enter the amount of time for which the maximum number of requests is restricted, from 1 to 480 minutes. The default is set to 60.

    Use geolocation in FortiToken Mobile push notifications

    Enable or disable geolocation lookup for the user IP address (if possible).

    Inbound Proxy

    End-user source IP origin when going through a proxy (in order of priority)

    Get proxy IP from FORWARDED HTTP header (if available)

    Enable to get the proxy IP address from the FORWARDED HTTP header when available.

    Configure valid FORWARDED "by" values

    Enable to specify a list of valid "by" identifiers for the FORWARDED header, separated by a comma or a new line.

    This determines the client IP address used while logging in and can be used to determine if a proxy IP address is trusted in some security features (e.g. trusted subnets for SAML IdP and admin GUI access and user portal adaptive authentication, etc).

    Note: This option provides a way to select the correct source IP address in case of a chain of inbound proxy. It also provides additional protection against spoofing.

    Get proxy IP from X_FORWARDED_FOR HTTP header (if available)

    Enable to get the proxy IP address from the X-FORWARDED_FOR HTTP (non-standard equivalent of FORWARDED+ "for") header when available.

    Note: When Get proxy IP from FORWARDED HTTP header (if available) and Get proxy IP from X_FORWARDED_FOR HTTP header (if available) options are enabled, FortiAuthenticator looks for a matching "FORWARDED" header and only uses the "X_FORWARDED_FOR" header if a valid "FORWARDED" header is not present.

  3. Select OK to apply any changes. See Certificate management for more information about certificates.

System access

To adjust system access settings:
  1. Go to System > Administration > System Access. The Edit System Access Settings page will open.

  2. The following settings are available:
    Administrative Access
    Require strong cryptography

    Enable this option to restrict administrative access using stronger cryptographic algorithms.

    FortiAuthenticator supports the following cryptographic protocols:

    • TLS 1.2: AES128/256 GCM/CBC, SHA256/384, DHE2048, and ECDHx25519.

    • TLS 1.3: AES128/256 GCM, SHA256/384, and ECDHx25519.

    Enable pre-authentication warning messagePre-authentication warning messages can be found under Authentication > Portals > Replacement Messages.
    CLI Access
    CLI idle timeoutEnter the amount of time before the CLI times out due to inactivity, from 0 to 480 minutes (maximum of eight hours).
    GUI Access

    Site title

    Specify the string to display as the page title in web browsers. The following variables are available for the construction of the string:

    • {{:hostname}}: Host name

    • {{:fqdn}}: Device FQDN

    The default is set to FortiAuthenticator.

    GUI idle timeoutEnter the amount of time before the GUI times out due to inactivity, from 1 to 480 minutes (maximum of eight hours).
    Maximum HTTP header lengthEnter the maximum HTTP header length, from 4 to 16 KB.
    HTTPS CertificateSelect an HTTPS certificate from the dropdown menu.
    HTTP Strict Transport Security (HSTS) ExpiryEnable or disable HSTS enforcement, to avoid SSL sniffing attacks, and set an expiry from 0 to 730 days (where 0 means no expiry, maximum of two years). The default is set to 180.
    Certificate authority typeSelect the selected certificate’s authority type, either Local CA or Trusted CA.
    CA certificate that issued the server certificateSelect the issuing server certificate from the dropdown menu.

    Allow all hosts/domain names

    Enable to allow all the hosts/domain names.

    Additional allowed hosts/domain names

    Specify any additional hosts that this site can serve, separated by commas or line breaks.

    This option is only available when Allow all hosts/domain names is disabled.

    Public IP/FQDN for FortiToken Mobile

    Enter the IP, or FQDN, of the FortiAuthenticator for external access.

    The mobile device running the FortiToken Mobile app requires access to the FortiAuthenticator interface for push to operate.

    Enter the IPs/FQDNs in the following format:
    ip_addr[:port] or FQDN[:port]

    Legacy Self-Service Portal And OAuth Access Control Settings

    Username input format

    Select one of the following three username input formats:

    • username@realm

    • realm\username

    • realm/username

    Note: When authenticating against the default realm, the realm name is optional.

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

    Realms

    Add realms to which the client will be associated.

    • Select a realm from the dropdown menu in the Realm column.

    • Select whether or not to allow local users to override remote users for the selected realm.

    • Edit the group filter as needed to filter users based on the groups they are in.

    • If necessary, add more realms to the list.

    • Select the realm that will be the default realm for this client.

    REST API

    Restrict number of requests to

    Enter the maximum number of REST API requests sent, from 1 to 2880 requests. The default is set to 360.

    For duration

    Enter the amount of time for which the maximum number of requests is restricted, from 1 to 480 minutes. The default is set to 60.

    Use geolocation in FortiToken Mobile push notifications

    Enable or disable geolocation lookup for the user IP address (if possible).

    Inbound Proxy

    End-user source IP origin when going through a proxy (in order of priority)

    Get proxy IP from FORWARDED HTTP header (if available)

    Enable to get the proxy IP address from the FORWARDED HTTP header when available.

    Configure valid FORWARDED "by" values

    Enable to specify a list of valid "by" identifiers for the FORWARDED header, separated by a comma or a new line.

    This determines the client IP address used while logging in and can be used to determine if a proxy IP address is trusted in some security features (e.g. trusted subnets for SAML IdP and admin GUI access and user portal adaptive authentication, etc).

    Note: This option provides a way to select the correct source IP address in case of a chain of inbound proxy. It also provides additional protection against spoofing.

    Get proxy IP from X_FORWARDED_FOR HTTP header (if available)

    Enable to get the proxy IP address from the X-FORWARDED_FOR HTTP (non-standard equivalent of FORWARDED+ "for") header when available.

    Note: When Get proxy IP from FORWARDED HTTP header (if available) and Get proxy IP from X_FORWARDED_FOR HTTP header (if available) options are enabled, FortiAuthenticator looks for a matching "FORWARDED" header and only uses the "X_FORWARDED_FOR" header if a valid "FORWARDED" header is not present.

  3. Select OK to apply any changes. See Certificate management for more information about certificates.