Fortinet white logo
Fortinet white logo

Administration Guide

Administrators

Administrators

In its factory default configuration, FortiWeb has one administrator account named admin with a blank password. This administrator has permissions that grant full access to FortiWeb’s features. When the admin user logs into FortiWeb for the first time or imports a configuration file with a blank password, the user will be forced to change the password. You can log into FortiWeb by the console, the telnet, or SSH to change the password. The admin user can't be deleted.

To prevent accidental changes to the configuration, it’s best if only network administrators—and if possible, only a single person—use the admin account. You can use the admin administrator account to configure more accounts for other people. Accounts can be made with different scopes of access. If you require such role-based access control (RBAC) restrictions, or if you simply want to harden security or prevent inadvertent changes to other administrators’ areas, you can do so via access profiles. See Configuring access profiles. Similarly, you can divide policies and protected host names and assign them to separate administrator accounts. For details, see Administrative domains (ADOMs).

For example, you could create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

Administrators may be able to access the web UI, the CLI, and use ping/traceroute through the network, depending on:

To determine which administrators are currently logged in, use the CLI command get system logged-users. For details, see the FortiWeb CLI Reference:

HTTPs://docs.fortinet.com/product/fortiweb/

To prevent multiple administrators from logging in simultaneously, which could allow them to inadvertently overwrite each other’s changes, enable How to use the web UI. For details, see Global web UI & CLI settings.
To configure an administrator account
  1. Before configuring the account:
  • Go to System > Admin > Administrators.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
  • Click Create New to create a new account, or click Edit to change configurations for an existing account.
  • Configure these settings:
  • Administrator

    Type the name of the administrator account, such as admin1 or admin@example.com, that can be referenced in other parts of the configuration.

    The maximum length is 63 characters.

    Note: This is the user name that the administrator must provide when logging in to the CLI or web UI. If using an external authentication server such as RADIUS or Active Directory, this name will be passed to the server via the remote authentication query.

    Type

    Select either:

    • Local User—Authenticate using an account whose name, password, and other settings are stored locally, in the FortiWeb appliance’s configuration.
    • Remote User—Authenticate by querying the remote server that stores the account’s name and password.

      If there is only one account configured on FortiWeb (i.e. the admin user), before setting it as a remote user, do make sure the remote authentication server is safe and stable. Once the remote authentication server is damaged and the account credentials are lost, FortiWeb can't recover it, which means the only one account that can log in to FortiWeb is lost. The configurations will be lost and you need to re-install FortiWeb image.

      Also configure Admin User Group.
    Password

    Type a password for the administrator account.

    This field is available only when Type is Local User.

    Tip: Set a strong password for every administrator account, and change the password regularly. Failure to maintain the password of every administrator account could compromise the security of your FortiWeb appliance. As such, it can constitute a violation of PCI DSS compliance and is against best practices. For improved security, the password should be at least eight characters long, be sufficiently complex, and be changed regularly.

    Confirm Password

    Re-enter the password to confirm its spelling.

    This field is available only when Type is Local User.

    Admin User Group

    Select a remote authentication query set. For details, see Grouping remote authentication queries and certificates for administrators.

    This field is available only when Type is Remote User.

    Caution: Secure your authentication server and, if possible, all query traffic to it. Compromise of the authentication server could allow attackers to gain administrative access to your FortiWeb.

    Wildcard

    This is used together with Remote User.

    • When wildcard is disabled, The system matches the user in the remote server exactly against the Administrator name and password you have specified.

    • When the wildcard is enabled, any users in the remote server will match.

    Note: When wildcard is enabled, and if you have defined a group name in the Admin User Group (User > User Group > Admin Group), then the system will match the users in the remote server whose group name value is the same as you defined.

    This field is available only when Type is Remote User.

    Trusted Host

    Type the source IP address(es) and netmask from which the administrator is allowed to log in to the FortiWeb appliance. If PING is enabled, this is also a source IP address to which FortiWeb will respond when it receives a ping or traceroute signal.

    Trusted areas can be single hosts, subnets, or a mixture.

    You can enter up to 10 entries, separating them with space, for example, "192.0.2.2/32 192.0.2.1/25".

    To allow logins only from one computer, enter its IP address and 32- or 128-bit netmask in all Trusted Host fields:

    192.0.2.2/32

    2001:0db8:85a3:::8a2e:0370:7334/128

    Caution: If you configure trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. any of its Trusted Host settings is 0.0.0.0/0.0.0.0), the FortiWeb appliance must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

    Tip: If you allow login from the Internet, set a longer and more complex Password, and enable only secure administrative access protocols (HTTPS and SSH) to minimize the security risk. For details about administrative access protocols, see Configuring the network interfaces. Also restrict trusted hosts to IPs in your administrator’s geographical area.

    Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

    Access Profile

    Select an existing access profile to grant permissions for this administrator account. For details about permissions, see Configuring access profiles and Permissions.

    You can select prof_admin, a special access profile used by the admin administrator account. The new administrator, without prof_admin profile, would not be able to reset passwords for other administrator users.

    This option does not appear for the admin administrator account, which by definition always uses the prof_admin access profile.

    Tip: Alternatively, if your administrator accounts authenticate via a RADIUS query, you can override this setting and assign their access profile through the RADIUS server using RFC 2548 (HTTP://www.ietf.org/rfc/rfc2548.txt) Microsoft Vendor-specific RADIUS Attributes.

    On the RADIUS server, create an attribute named:

    ATTRIBUTE Fortinet-Access-Profile 6

    then set its value to be the name of the access profile that you want to assign to this account. Finally, in the CLI, enter the command to enable the override:

    config system admin

    edit "admin1"

    set accprofile-override enable

    end

    If none is assigned on the RADIUS server, or if it does not match the name of an existing access profile on FortiWeb, FortiWeb will fail back to use the one locally assigned by this setting.

    Force Password Change Enable to force the administrator to change the password for next login.
    This field can be configured only when Password Policy is enabled in System > Admin > Settings.
    Administrative Domain

    Select which existing ADOM to assign this administrator account to it, and to restrict its permissions to that ADOM.

    You can assign multiple ADOMs to one administrator account.

    For details about permissions, see Configuring access profiles and Permissions.

    This option appears only if ADOMs are enabled, and if Administrative Domain is not prof_admin. (prof_admin implies global access, with no restriction to an ADOM.)

  • Click OK.
  • Password hash

    The admin user password hash is changed from sha1 to sha256 since 7.2.0.

    If you upgrade FortiWeb from versions earlier than 7.2.0, the hash will keep the same as before, but if admin user changes its password or there is new admin users added, the password hash will be sha256.

    See also

    Administrators

    Administrators

    In its factory default configuration, FortiWeb has one administrator account named admin with a blank password. This administrator has permissions that grant full access to FortiWeb’s features. When the admin user logs into FortiWeb for the first time or imports a configuration file with a blank password, the user will be forced to change the password. You can log into FortiWeb by the console, the telnet, or SSH to change the password. The admin user can't be deleted.

    To prevent accidental changes to the configuration, it’s best if only network administrators—and if possible, only a single person—use the admin account. You can use the admin administrator account to configure more accounts for other people. Accounts can be made with different scopes of access. If you require such role-based access control (RBAC) restrictions, or if you simply want to harden security or prevent inadvertent changes to other administrators’ areas, you can do so via access profiles. See Configuring access profiles. Similarly, you can divide policies and protected host names and assign them to separate administrator accounts. For details, see Administrative domains (ADOMs).

    For example, you could create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

    Administrators may be able to access the web UI, the CLI, and use ping/traceroute through the network, depending on:

    To determine which administrators are currently logged in, use the CLI command get system logged-users. For details, see the FortiWeb CLI Reference:

    HTTPs://docs.fortinet.com/product/fortiweb/

    To prevent multiple administrators from logging in simultaneously, which could allow them to inadvertently overwrite each other’s changes, enable How to use the web UI. For details, see Global web UI & CLI settings.
    To configure an administrator account
    1. Before configuring the account:
  • Go to System > Admin > Administrators.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
  • Click Create New to create a new account, or click Edit to change configurations for an existing account.
  • Configure these settings:
  • Administrator

    Type the name of the administrator account, such as admin1 or admin@example.com, that can be referenced in other parts of the configuration.

    The maximum length is 63 characters.

    Note: This is the user name that the administrator must provide when logging in to the CLI or web UI. If using an external authentication server such as RADIUS or Active Directory, this name will be passed to the server via the remote authentication query.

    Type

    Select either:

    • Local User—Authenticate using an account whose name, password, and other settings are stored locally, in the FortiWeb appliance’s configuration.
    • Remote User—Authenticate by querying the remote server that stores the account’s name and password.

      If there is only one account configured on FortiWeb (i.e. the admin user), before setting it as a remote user, do make sure the remote authentication server is safe and stable. Once the remote authentication server is damaged and the account credentials are lost, FortiWeb can't recover it, which means the only one account that can log in to FortiWeb is lost. The configurations will be lost and you need to re-install FortiWeb image.

      Also configure Admin User Group.
    Password

    Type a password for the administrator account.

    This field is available only when Type is Local User.

    Tip: Set a strong password for every administrator account, and change the password regularly. Failure to maintain the password of every administrator account could compromise the security of your FortiWeb appliance. As such, it can constitute a violation of PCI DSS compliance and is against best practices. For improved security, the password should be at least eight characters long, be sufficiently complex, and be changed regularly.

    Confirm Password

    Re-enter the password to confirm its spelling.

    This field is available only when Type is Local User.

    Admin User Group

    Select a remote authentication query set. For details, see Grouping remote authentication queries and certificates for administrators.

    This field is available only when Type is Remote User.

    Caution: Secure your authentication server and, if possible, all query traffic to it. Compromise of the authentication server could allow attackers to gain administrative access to your FortiWeb.

    Wildcard

    This is used together with Remote User.

    • When wildcard is disabled, The system matches the user in the remote server exactly against the Administrator name and password you have specified.

    • When the wildcard is enabled, any users in the remote server will match.

    Note: When wildcard is enabled, and if you have defined a group name in the Admin User Group (User > User Group > Admin Group), then the system will match the users in the remote server whose group name value is the same as you defined.

    This field is available only when Type is Remote User.

    Trusted Host

    Type the source IP address(es) and netmask from which the administrator is allowed to log in to the FortiWeb appliance. If PING is enabled, this is also a source IP address to which FortiWeb will respond when it receives a ping or traceroute signal.

    Trusted areas can be single hosts, subnets, or a mixture.

    You can enter up to 10 entries, separating them with space, for example, "192.0.2.2/32 192.0.2.1/25".

    To allow logins only from one computer, enter its IP address and 32- or 128-bit netmask in all Trusted Host fields:

    192.0.2.2/32

    2001:0db8:85a3:::8a2e:0370:7334/128

    Caution: If you configure trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. any of its Trusted Host settings is 0.0.0.0/0.0.0.0), the FortiWeb appliance must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

    Tip: If you allow login from the Internet, set a longer and more complex Password, and enable only secure administrative access protocols (HTTPS and SSH) to minimize the security risk. For details about administrative access protocols, see Configuring the network interfaces. Also restrict trusted hosts to IPs in your administrator’s geographical area.

    Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

    Access Profile

    Select an existing access profile to grant permissions for this administrator account. For details about permissions, see Configuring access profiles and Permissions.

    You can select prof_admin, a special access profile used by the admin administrator account. The new administrator, without prof_admin profile, would not be able to reset passwords for other administrator users.

    This option does not appear for the admin administrator account, which by definition always uses the prof_admin access profile.

    Tip: Alternatively, if your administrator accounts authenticate via a RADIUS query, you can override this setting and assign their access profile through the RADIUS server using RFC 2548 (HTTP://www.ietf.org/rfc/rfc2548.txt) Microsoft Vendor-specific RADIUS Attributes.

    On the RADIUS server, create an attribute named:

    ATTRIBUTE Fortinet-Access-Profile 6

    then set its value to be the name of the access profile that you want to assign to this account. Finally, in the CLI, enter the command to enable the override:

    config system admin

    edit "admin1"

    set accprofile-override enable

    end

    If none is assigned on the RADIUS server, or if it does not match the name of an existing access profile on FortiWeb, FortiWeb will fail back to use the one locally assigned by this setting.

    Force Password Change Enable to force the administrator to change the password for next login.
    This field can be configured only when Password Policy is enabled in System > Admin > Settings.
    Administrative Domain

    Select which existing ADOM to assign this administrator account to it, and to restrict its permissions to that ADOM.

    You can assign multiple ADOMs to one administrator account.

    For details about permissions, see Configuring access profiles and Permissions.

    This option appears only if ADOMs are enabled, and if Administrative Domain is not prof_admin. (prof_admin implies global access, with no restriction to an ADOM.)

  • Click OK.
  • Password hash

    The admin user password hash is changed from sha1 to sha256 since 7.2.0.

    If you upgrade FortiWeb from versions earlier than 7.2.0, the hash will keep the same as before, but if admin user changes its password or there is new admin users added, the password hash will be sha256.

    See also