Administration settings

The Admin menu provides settings for configuring administrators and their profiles, as well as basic administrative settings such as changing the default language.

This section describes:

 

l Administrators l Administrative profiles l Settings

Administrators

Administrators are configured in System > Admin > Administrators. There is already a default administrator account on the unit named admin that uses the super_admin administrator profile.

You need to use the default admin account, an account with the super_admin admin profile, or an administrator with read-write access control to add new administrator accounts and control their permission levels. If you log in with an administrator account that does not have the super_admin admin profile, the administrators list will show only the administrators for the current virtual domain.

The Administrators page lists the default super-admin administrator account, and all administrator accounts that you have created.

Create New	Creates a new administrator account.
Edit	Modifies settings within an administrator’s account. When you select Edit, you are automatically redirected to the Edit Administrator page.
Delete	Remove an administrator account. You cannot delete the original admin account until you create another user with the super_admin profile, log out of the admin account, and log in with the alternate user that has the super_admin profile. To remove multiple administrator accounts, select multiple rows in the list by holding down the Ctrl of Shift keys, then select Delete.
Name	The login name for an administrator account.
Trusted Hosts	The IP address and netmask of trusted hosts from which the administrator can log in.
Profile	The admin profile for the administrator.
Type	The type of authentication for this administrator, one of: l Local: Authentication of an account with a local password stored on the FortiCache unit. l Remote: Authentication of a specific account on a RADIUS, Lightweight Directory Access Protocol (LDAP), or Terminal Access Controller Access- Control System (TACACS+) server l Remote+Wildcard: Authentication of any account on an LDAP, RADIUS, or TACACS+ server. l PKI: PKI-based certificate authentication of an account.
Comments	The comments about the administrator account.

Right-click on any column heading to adjusts the visible columns or reset all the columns to their default settings.

Adding a new administrator

Select Create New to open the New Administrator page. It provides settings for configuring an administrator account. When you are configuring an administrator account, you can enable authentication for an admin from an LDAP, RADIUS, or local server.

Configure the following settings:

Administrator	Enter the login name for the administrator account. The name of the administrator should not contain the characters <, >, (, ), #, “, or ‘. Using these characters in the administrator account name can result in a cross site scripting (XSS) vulnerability.
Type	Select the type of administrator account: Regular, Remote, or PKI.
Regular	Select to create a Local administrator account.
Remote	Select to authenticate the administrator using a RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first.
PKI	Select to enable certificate-based authentication for the administrator. Only one administrator can be logged in with PKI authentication enabled.
User Group	Select the administrator user group that includes the Remote server/PKI (peer) users as members of the UserGroup. The administrator user group cannot be deleted once the group is selected for authentication. This option is only available if Type is Remote or PKI.
Wildcard	Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to be administrators. This option is only available if Type is Remote.
Password	Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. This option is only available if Type is Regular.
Backup Password	Enter a backup password for the administrator account. For improved security, the password should be at least 6 characters long. This option is only available if Type is Remote and Wildcard is not selected.
Confirm Password	Type the password for the administrator account a second time to confirm that you have typed it correctly. This option is not available if Type is PKI or Wildcard is selected.
Comments	Optionally, enter comments about the administrator.
Admin Profile	Select the admin profile for the administrator. You can also select Create New to create a new admin profile.
Restrict this Admin Login from Trusted Hosts Only	Select to restrict this administrator login to specific trusted hosts, then enter the trusted hosts IP addresses and netmasks. You can specify up to ten trusted hosts. These addresses all default to 0.0.0.0/0 or 0.0.0.0/0.0.0.0.

Regular (password) authentication for administrators

You can use a password stored on the local unit to authenticate an administrator. When you select Regular for Type, you will see Local as the entry in the Type column when you view the list of administrators.

Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator can connect only through the subnet or subnets that you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255.

When you set trusted hosts for all administrators, the unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.

The trusted hosts you define apply to the GUI, Ping, SNMP, and the CLI when accessed through Telnet or SSH. CLI access through the console port is not affected.

The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the zero addresses to a non-zero address, the other zero addresses will be ignored. The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0.0.0.0. However, this configuration is less secure.

Administrative profiles

Each administrator account belongs to an admin profile. The admin profile separates FortiCache features into access control categories for which an administrator with read-write access can enable none (deny), read only, or read-write access.

Read-only access for a GUI page enables the administrator to view that page. However, the administrator needs write access to change the settings on the page.

The admin profile has a similar effect on administrator access to CLI commands. You can access get and show commands with Read Only access, but access to config commands requires Read-Write access.

When an administrator has read-only access to a feature, the administrator can access the GUI page for that feature but cannot make changes to the configuration. There are no Create or Apply buttons and lists display only the View icon instead of icons for Edit, Delete, or other modification commands.

You need to use the admin account or an account with read-write access to create or edit admin profiles.

Administrative profile settings

The Admin Profile page lists all administration profiles that you created as well as the default admin profiles. On this page, you can edit, delete, or create a new admin profile.

To view administrator profiles, go to System > Admin > Admin Profile.

The following options are available:

Create New	Creates a new profile. See Adding an administrator profile on page 52.
Edit	Modifies the selected admin profile’s settings. When you select Edit, you are automatically redirected to the Edit Admin Profile page.
Delete	Removes the admin profile from the list on the page. You cannot delete an admin profile that has administrators assigned to it. To remove multiple admin profiles, select multiple rows in the list by holding down the Ctrl of Shift keys, then select Delete.
Name	The name of the admin profile.
Comments	Comments about the admin profile.
Ref.	Displays the number of times the object is referenced to other objects. To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object.

Adding an administrator profile

Select Create New to open the New Admin Profile page. It provides settings for configuring an administrator profile. When you are editing an existing admin profile, you are automatically redirected to the Edit Admin Profile page.

Configure the following settings, then select OK to create the new administrator profile:

Profile Name	Enter a name for the new admin profile.
Comments	Optionally, add comments about the admin profile.
Access Control	List of the items that can customize access control settings if configured.
None	Deny access to all Access Control categories.
Read Only	Enable read only access in all Access Control categories.
Read-Write	Select to allow read-write access in all Access Control categories.
Access Control (categories)	Make specific access control selections as required. l     System Configuration l Network Configuration l Administrator Users l FortiGuad Update l Maintenance l Router Configuration l Firewall Configuration l Policy Configuration l Address Configuration l Service Configuration l Schedule Configuration l Other Configuration l     Security Profile Configuration l AntiVirus l Web Filter l Data Leak Prevention l ICAP l     Content Analysis l     User & Device l     WAN Opt & Cache l Log & Report l Configuration l Data Access

Settings

Use admin settings to configure general settings for web administration access, password policies, idle timeout settings, and display settings. You can also configure FortiCache Manager support.

Go to System > Admin > Settings to configure administrator settings.

Configure the following settings:

Central Management
FortiCache Manager > IP/ Domain Name	Provides support for the upcoming FortiCache Manager. You can enable the communication in FortiCache the same way you would handle a FortiGate connecting to a FortiManager.
FortiCloud	Enable this option to use FortiCloud for all FortiGuard communications.
None	Enable this option to have no central management.

 

Administration Settings
HTTP Port	TCP port to be used for administrative HTTP access. The default is 80. Select Redirect to HTTPS to force redirection to HTTPS.
HTTPS Port	TCP port to be used for administrative HTTPS access. The default is 443.
Telnet Port	TCP port to be used for administrative telnet access. The default is 23.
SSH Port	TCP port to be used for administrative SSH access. The default is 22.
Idle Timeout	Change the time after which the GUI logs out idle system administration settings, from 1 to 480 minutes.
Enable Password Policy	Select to enable a password policy.
Minimum Length	Set the minimum acceptable length for passwords, from 8 to 128 characters.
Must Contain at Least	Select to enable special character types, upper or lower case letters, or numbers. Enter information for one or all of the following. Each selected type must occur at least once in the password. l UpperCase Letters – A, B, C, … Z l LowerCase Letters – a, b, c, … z l Numbers (0-9) – 0, 1, 2, … 9 l Special characters – @, ?, #, … %
Apply Password Policy to	Select to apply the password policy to the Administrator Password. If any password does not conform to the policy, require that administrator to change the password at the next login.
Enable Password Expiration	Require administrators to change password after a specified number of days. Enter the number of days in the field. The default is 90 days.
View Settings
Language	The language the GUI uses: English, French, Spanish, Portuguese, Japanese, Traditional Chinese, Simplified Chinese, or Korean. You should select the language that the operating system of the management computer uses.

 

Lines per Page

Number of lines per page to display in table lists. From 20 to 1000, default = 50.

Certificates

The FortiCache unit generates a certificate request based on the information you entered to identify the FortiCache unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiCache unit and then forward the request to a CA.

The certificate window also enables you to export certificates for authentication, importing, and viewing.

This section includes:

l Local CA Certificates l Certificates l External CA Certificates

Local CA Certificates

Local certificates are issued for a specific server or website. Generally they are very specific, and often for an internal enterprise network.

To manage local certificates, go to System > Certificates.

The following information is available:

Generate	Generate a CSR. See To generate a CSR: on page 56.
Edit	Highlight a certificate and select to edit the certificate.
Delete	Select the checkbox next to a certificate entry and select Delete to remove the selected certificate or CSR. Select OK in the confirmation dialog box to proceed with the delete action.
Import	Import a certificate. Select any of the options under the dropdown: l  Local Certificate l Remote Certificate l CA Certificate l  CRL See Import a certificate on page 58.
View Details	View a certificate. See View certificate details on page 59.
Download	Select a certificate or CSR, then select Download to download that certificate or CSR to your management computer.

Certificates

Name	The name of the certificate.
Subject	The subject of the certificate.
Comments	Comments.
Issuer	The issuer of the certificate.
Expires	Displays the certificate’s expiry date and time.
Status	The status of the certificate or CSR. l     OK: the certificate is okay. l     NOT AVAILABLE: the certificate is not available, or the request was rejected. l PENDING: the certificate request is pending.
Ref.	Displays the number of times the certificate or CSRis referenced to other objects. To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.

Whether you create certificates locally or obtain them from an external certificate service, a Certificate Signing Request (CSR) will need to be generated.

When a CSR is generated, a private and public key pair is created for the FortiCache unit. The generated request includes the public key of the device, and information such as the unit’s public static IP address, domain name, or email address. The device’s private key remains confidential on the unit.

After the request is submitted to a CA, the CA will verify the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate, after which you can install the certificate on the FortiCache device.

To generate a CSR:

1. From the local certificates list, select Generate.

The Generate Certificate Signing Request page opens.

2. Enter the following information:

Certificate Name	Enter a unique name for the certificate request, such as the host name, or the serial number of the device. Do not include spaces in the certificate to ensure compatibility as a PKCS12 file.
Subject Information	Select the ID type from the drop-down list: l Host IP: Select if the unit has a static IP address. Enter the device’s IP address in the IP Address field. l Domain Name: Enter the device’s domain name or FQDN in the Domain Name field. l E-mail: Enter the email address of the device’s administrator in the Email field.
Optional Information	Optional information to further identify the device.
Organization Unit	The name of the department. Up to 5 OUs can be added.
Organization	The legal name of the company or organization.
Locality (City)	The name of the city where the unit is located.
State/Province	The name of the state or province where the unit is located.
Country/Region	The country where the unit is located. Select from the drop-down list.
E-mail	The contact email address.

Certificates

Subject Alternative Name	One or more alternative names, seperate by commas, for which the certificate is also valid. An alternative name can be: email address, IP address, URI, DNS name, or a directory name. Each name must be preceded by it’s type, for example: IP:1/2/3/4, or URL: http://your.url.here/.
Key Type	The key type is RSA. It cannot be changed.
Key Size	Select the key size from the drop-down list: 1024, 1536, or 2048 bits. Larger key sizes are more secure, but slower to generate.
Enrollment Method	Select the enrollment method: l File Based: Generate the certificate request. l Online SCEP: Obtain a signed, Simple Certificate Enrollment Protocol (SCEP) based certificate automatically over the network. Enter CA server URL and challenge password in their respective fields.

3. Select OK to generate the CSR.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!