Administrator settings

The Admin Settings page allows you to configure global settings for administrator access to the FortiAnalyzer unit, including:

• Ports for HTTPS and HTTP administrative access
• HTTPS & Web Service server certificate
• Idle Timeout settings
• Language of the web-based manager
• Password Policy

Only the admin administrator can configure these system options, which apply to all administrators logging onto the FortiAnalyzer unit.

To configure administrative settings:

1. Go to System Settings > Admin > Admin Settings.

The Settings dialog box opens.

Figure 62:Settings dialog box

2. Configure the following settings:

Administration Settings

HTTP Port	Enter the TCP port to be used for administrative HTTP access.
Redirect to HTTPS	Select this option to automatically redirect to HTTPS from administrative HTTP access.
HTTPS Port	Enter the TCP port to be used for administrative HTTPS access.
HTTPS & Web Service Server Certificate	Select a certificate from the drop-down list.
Idle Timeout	Enter the number of minutes that an administrative connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). To ensure security, the idle timeout should be a short period of time to avoid the administrator inadvertently leaving the management computer logged in to the FortiAnalyzer unit, creating the possibility of someone walking up and modifying the network options.
Language	Select a language from the drop-down list. Select either English, Simplified Chinese, Traditional Chinese, Japanese, Korean, or Auto Detect. The default value is Auto Detect.
Password Policy
Enable	Select to enable administrator passwords.
Minimum Length	Select the minimum length for a password. The default is eight characters.
Must Contain	Select the types of characters that a password must contain.
Admin Password Expires after	Select the number of days that a password is valid for, after which time it must be changed.

3. Select Apply to save your settings. The settings are applied to all administrator accounts.

Configure two-factor authentication for administrator login

To configure two-factor authentication for administrator login you will need the following:

• FortiAnalyzer
• FortiAuthenticator
• FortiToken

FortiAuthenticator side configuration

The following instructions describes the steps required on your FortiAuthenticator device.

Before proceeding, ensure that you have configured your FortiAuthenticator and that you have created a NAS entry for your FortiAnalyzer and created/imported FortiTokens. For more information, see the FortiAuthenticator Interoperability Guide and FortiAuthenticator Administration Guide available in the Fortinet Document Library.

To create a new local user:

1. Go to Authentication > User Management > Local Users.
2. Select Create New in the toolbar.

The Create New User page opens.

Figure 63:Create a new user

3. Configure the following settings:

Username	Enter a user name for the local user.
Password creation	Select Specify a password from the drop-down list.
Password	Enter a password. The password must be a minimum of 8 characters.
Password confirmation	Re-enter the password.
Enable account expiration	Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide.

4. Select OK to continue.

The Change user page opens.

Figure 64:Change user

5. Configure the following settings:

Password-based authentication	Leave this option selected. Select [Change Password] to change the password for this local user.
Token-based authentication	Select to enable token-based authentication.
Deliver token code by	Select to deliver token by FortiToken.
FortiToken 200	Select the FortiToken from the drop-down list.
Enable account expiration	Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide.
User Role
Role	Select either Administrator or User.
Allow RADIUS authentication	Select to allow RADIUS authentication.
Allow LDAP browsing.	Optionally, select to allow LDAP browsing. For more information see the FortiAuthenticator Administration Guide.

6. Select OK to save the setting.

To create a new RADIUS client:

1. Go to Authentication > RADIUS Service > Clients.
2. Select Create New in the toolbar.

The Create New RADIUS Client page opens.

Figure 65:Create new RADIUS client

3. Configure the following settings:

Name	Enter a name for the RADIUS client entry.
Client name/IP	Enter the IP address or Fully Qualified Domain Name (FQDN) of the FortiAnalyzer.
Secret	Enter the server secret. This value must match the FortiAnalyzer RADIUS server setting at System Settings > Admin > Remote Auth Server.
Description	Enter an option description for the RADIUS client entry.
Authentication method	Select Enforce two-factor authentication from the list of options.
Username input format	Select the username input format.
Realms	Create and define the Realm. For more information see the FortiAuthenticator Administration Guide.
Allow MAC-based authentication	Optional configuration. For more information see the FortiAuthenticator Administration Guide.
EAP types	Optional configuration. For more information see the FortiAuthenticator Administration Guide.

4. Select OK to save the setting.

FortiAnalyzer side configuration

The following instructions describes the steps required on your FortiAnalyzer device.

To configure the RADIUS server:

1. Go to System Settings > Admin > Remote Auth Server.
2. Select Create New in the toolbar and select RADIUS from the drop-down list.

The New RADIUS Server page opens.

Figure 66:New RADIUS server page

3. Configure the following settings:

Name	Enter a name to identify the FortiAuthenticator.
Server Name/IP	Enter the IP address or fully qualified domain name of your FortiAuthenticator.
Server Secret	Enter the FortiAuthenticator secret.
Secondary Server Name/IP	Enter the IP address or fully qualified domain name of the secondary FortiAuthenticator, if applicable.
Secondary Server Secret	Enter the secondary FortiAuthenticator secret, if applicable.
Port	Enter the port for FortiAuthenticator traffic. The default port is 1812.
Auth-Type	Enter the authentication type the FortiAuthenticator requires. The default setting of ANY has the FortiAnalyzer unit try all the authentication types. Select one of: ANY, PAP, CHAP, or MSv2.

4. Select OK to save the setting.

To create the admin users:

1. Go to System Settings > Admin > Administrator.
2. Select Create New in the toolbar.

The New Administrator page opens.

Figure 67:New administrator page

3. Configure the following settings:

User Name	Enter the name that this administrator uses to log in.
Description	Optionally, enter a description of this administrator’s role, location or reason for their account. This field adds an easy reference for the administrator account.
Type	Select RADIUS from the drop-down list.
RADIUS Server	Select the RADIUS server from the drop-down menu.
Wildcard	Select to enable wildcard. Wildcard authentication will allow authentication from any local user account on the FortiAuthenticator. To restrict authentication, RADIUS service clients can be configured to only authenticate specific user groups.
New Password	Enter the password. This field is available if Type is RADIUS and Wildcard is not selected.
Confirm Password	Enter the password again to confirm it. This field is available if Type is RADIUS and Wildcard is not selected.
Admin Profile	Select a profile from the drop-down menu. The profile selected determines the administrator’s access to the FortiAnalyzer unit’s features. To create a new profile see “Configuring administrator profiles” on page 80.
Administrative Domain	Choose the ADOMs this administrator will be able to access, or select All ADOMs. Select Specify and then select the Add icon,             , to add Administrative Domains. Select the remove icon,          , to remove an Administrative Domain. This field is available only if ADOMs are enabled (see “Administrative Domains” on page 27).The Super_User profile defaults to All ADOMs access.
Trusted Host	Optionally, enter the trusted host IPv4 or IPv6 address and netmask from which the administrator can log in to the FortiAnalyzer unit. Select the Add icon, , to add trusted hosts. You can specify up to ten trusted hosts. Select the Delete icon, , to remove trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see “Using trusted hosts” on page 78.

4. Select OK to save the setting.

To test the configuration:

1. Attempt to log into the FortiAnalyzer Web-based Manager with your new credentials.

Figure 68:FortiAnalyzer login page

2. Enter your user name and password and select Login.

The FortiToken page is displayed.

Figure 69:FortiToken page

3. Enter your FortiToken pin code and select Submit to finish logging in to FortiAnalyzer.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!