Category Archives: FortiOS

Two-factor authentication – FortiAnalyzer – FortiOS 6.2.3

Two-factor authentication

To configure two-factor authentication for administrators you will need the following:

l FortiAnalyzer l FortiAuthenticator l FortiToken

Configuring FortiAuthenticator

On the FortiAuthenticator, you must create a local user and a RADIUS client.

Before proceeding, ensure you have configured your FortiAuthenticator, created a NAS entry for your FortiAnalyzer, and created or imported FortiTokens.

For more information, see the Two-FactorAuthenticatorInteroperability Guide and FortiAuthenticator Administration Guide in the Fortinet Document Library.

Create a local user:

  1. Go to Authentication > UserManagement > Local Users.
  2. Click Create New in the toolbar.
  3. Configure the following settings:
Username   Enter a user name for the local user.
Password creation   Select Specify a password from the dropdown list.
Password Enter a password. The password must be a minimum of 8 characters.
Password confirmation Re-enter the password. The passwords must match.
Allow RADIUS authentication Enable to allow RADIUS authentication.
Role Select the role for the new user.
Enable account expiration Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide.
  1. Click OK to continue to the Change local user
  2. Configure the following settings, then click OK.
Disabled Select to disable the local user.
Password-based authentication Leave this option selected. Select [Change Password] to change the password for this local user.
Token-based authentication Select to enable token-based authentication.
Deliver token code by Select to deliver token by FortiToken, email, or SMS. Click Test Token to test the token.
Allow RADIUS authentication Select to allow RADIUS authentication.
Enable account expiration Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide.
User Role  
Role Select either Administrator or User.
Full Permission Select to allow Full Permission, otherwise select the admin profiles to apply to the user. This option is only available when Role is Administrator.
Web service Select to allow Web service, which allows the administrator to access the web service via a REST API or by using a client application. This option is only available when Role is Administrator.
Restrict admin login from trusted management subnets only Select to restrict admin login from trusted management subnets only, then enter the trusted subnets in the table. This option is only available when Role is Administrator.
Allow LDAP Browsing Select to allow LDAP browsing. This option is only available when Role is User.

Create a RADIUS client:

  1. Go to Authentication > RADIUS Service > Clients.
  2. Click Create New in the toolbar.
  3. Configure the following settings, then click OK.
Name Enter a name for the RADIUS client entry.
Client name/IP Enter the IP address or Fully Qualified Domain Name (FQDN) of the

FortiAnalyzer.

Secret Enter the server secret. This value must match the FortiAnalyzer RADIUS server setting at System Settings > Admin > Remote Authentication Server.
First profile name See the FortiAuthenticator Administration Guide.
Description Enter an optional description for the RADIUS client entry.
Apply this profile based on RADIUS attributes Select to apply the profile based on RADIUS attributes.
Authentication method Select Enforce two-factorauthentication from the list of options.
Username input format Select specific user name input formats.
Realms Configure realms.
Allow MAC-based authentication Optional configuration.
Check machine authentication Select to check machine based authentication and apply groups based on the success or failure of the authentication.
Enable captive portal Enable various portals.
EAP types Optional configuration.

Configuring FortiAnalyzer

On the FortiAnalyzer, you need to configure the RADIUS server and create an administrator that uses the RADIUS server for authentication.

Configure the RADIUS server:

  1. Go to System Settings > Admin > Remote Authentication Server.
  2. Click Create New > RADIUS in the toolbar.
  3. Configure the following settings, then click OK.
Name Enter a name to identify the FortiAuthenticator.
Server Name/IP Enter the IP address or fully qualified domain name of your FortiAuthenticator.
Server Secret Enter the FortiAuthenticator secret.
Secondary Server Name/IP Enter the IP address or fully qualified domain name of the secondary FortiAuthenticator, if applicable.
Secondary Server Secret Enter the secondary FortiAuthenticator secret, if applicable.
Port Enter the port for FortiAuthenticator traffic.
Authentication Type Select the authentication type the FortiAuthenticator requires. If you select the default ANY, FortiAnalyzer tries all authentication types.

Note: RADIUS server authentication for local administrator users stored in FortiAuthenticator requires the PAP authentication type.

Create the administrator:

  1. Go to System Settings > Admin > Administrator.
  2. Click Create New from the toolbar.
  3. Configure the settings, selecting the previously added RADIUS server from the RADIUS Server dropdown list. See Creating administrators on page 224.
  4. Click OK to save the settings.

Test the configuration:

  1. Attempt to log in to the FortiAnalyzer GUI with your new credentials.
  2. Enter your user name and password and click Login.
  3. Enter your FortiToken pin code and click Submit to log in to the FortiAnalyzer.

 

Global Admin – GUI Language – Idle Timeout – FortiAnalyzer – FortiOS 6.2.3

GUI language

The GUI supports multiple languages, including:

l English l Simplified Chinese l Spanish l Traditional Chinese l Japanese l Korean

By default, the GUI language is set to Auto Detect, which automatically uses the language used by the management computer. If that language is not supported, the GUI defaults to English. For best results, you should select the language used by the operating system on the management computer.

For more information about language support, see the FortiAnalyzerRelease Notes.

To change the GUI language:

  1. Go to System Settings > Admin > Admin Settings.
  2. Under the View Settings, In the Language field, select a language, or Auto Detect, from the dropdown list.
  3. Click Apply to apply the language change.

Idle timeout

To ensure security, the idle timeout period should be short. By default, administrative sessions are disconnected if no activity takes place for five minutes. This idle timeout is recommended to prevent anyone from using the GUI on a PC that was logged in to the GUI and then left unattended. The idle timeout period can be set from 1 to 480 minutes.

To change the idle timeout:

  1. Go to System Settings > Admin > Admin Settings.
  2. Change the Idle Timeout period as required.
  3. Click Apply.

Global Admin – Password Policy – FortiAnalyzer – FortiOS 6.2.3

Password policy

You can enable and configure password policy for the FortiAnalyzer.

To configure the password policy:

  1. Go to System Settings > Admin > Admin Settings.
  2. Click to enable Password Policy.
  3. Configure the following settings, then click Apply to apply to password policy.
Minimum Length Specify the minimum number of characters that a password must be, from 8 to 32. Default: 8.
Must Contain Specify the types of characters a password must contain: uppercase and lowercase letters, numbers, and/or special characters.
Admin Password

Expires after

Specify the number of days a password is valid for. When the time expires, an administrator will be prompted to enter a new password.

Password lockout and retry attempts

By default, the number password retry attempts is set to three, allowing the administrator a maximum of three attempts at logging in to their account before they are locked out for a set amount of time (by default, 60 seconds).

The number of attempts and the default wait time before the administrator can try to enter a password again can be customized. Both settings can be configured using the CLI.

To configure the lockout duration:

  1. Enter the following CLI commands:

config system global set admin-lockout-duration <seconds>

end

To configure the number of retry attempts:

  1. Enter the following CLI commands:

config system global set admin-lockout-threshold <failed_attempts>

end

Example

To set the lockout threshold to one attempt and set a five minute duration before the administrator can try to log in again, enter the following CLI commands:

config system global set admin-lockout-duration 300 set admin-lockout-threshold 1

end

Global administration settings – FortiAnalyzer – FortiOS 6.2.3

Global administration settings

The administration settings page provides options for configuring global settings for administrator access to the FortiAnalyzer device. Settings include:

  • Ports for HTTPS and HTTP administrative access

To improve security, you can change the default port configurations for administrative connections to the FortiAnalyzer. When connecting to the FortiAnalyzer unit when the port has changed, the port must be included, such as https://<ip_address>:<port>. For example, if you are connecting to the FortiAnalyzer unit using port 8080, the URL would be https://192.168.1.99:8080. When you change to the default port number for HTTP, HTTPS, or SSH, ensure that the port number is unique.

  • Idle timeout settings

By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone from using the GUI if the management computer is left unattended.

  • GUI language

The language the GUI uses. For best results, you should select the language used by the management computer. l GUI theme

The default color theme of the GUI is Blueberry. You can choose another color or an image. l Password policy

Enforce password policies for administrators.

To configure the administration settings:

  1. Go to System Settings > Admin > Admin Settings.
  2. Configure the following settings as needed, then click Apply to save your changes to all administrator accounts:

Administration Settings

HTTP Port Enter the TCP port to be used for administrative HTTP access. Default: 80. Select Redirect to HTTPS to redirect HTTP traffic to HTTPS.
HTTPS Port Enter the TCP port to be used for administrative HTTPS access. Default: 443.
HTTPS & Web

Service Server

Certificate

Select a certificate from the dropdown list.
Idle Timeout Enter the number of minutes an administrative connection can be idle before the administrator must log in again, from 1 to 480 (8 hours). See Idle timeout on page 246 for more information.
View Settings  
Language Select a language from the dropdown list. See GUI language on page 245 for more information.
Theme Select a theme for the GUI. The selected theme is not applied until you click Apply, allowing to you to sample different themes. Default: Blueberry.
Password Policy Click to enable administrator password policies. See Password policy on page

244 and Password lockout and retry attempts on page 245 for more information.

Minimum Length Select the minimum length for a password, from 8 to 32 characters. Default:

8.

Must Contain Select the types of characters a password must contain.
Admin Password

Expires after

Select the number of days a password is valid for, after which it must be changed.

SAML admin authentication – FortiAnalyzer – FortiOS 6.2.3

SAML admin authentication

SAML can be enabled across all Security Fabric devices, enabling smooth movement between devices for the administrator. FortiAnalyzer can play the role of the identity provider (IdP) or the service provider (SP) when an external identity provider is available.

Devices configured to the IdP can be accessed through the Quick Access menu which appears in the top-right corner of the main menu. The current device is indicated with an asterisk (this feature is currently only supported in FAZ/FMG).

Logging into an SP device will redirect you to the IdP login page. By default, it is a Fortinet login page. After successful authentication, you can access other SP devices from within the same browser without additional authentication.

  1. Go to System Settings > SAML SSO.
  2. Select Identity Provider(IdP).
  3. In the IdP Certificate dropdown, choose a certificate where IdP is used.
  4. Select Download to get the IdP certificate, used later to configure SPs.
  5. Select Apply.
  6. In the SP Settings table, select Create to add a service provider.
  7. In the Edit Service Provider window: l Enter a name for the SP.
    • Select Fortinet as the SP Type.
    • If the SP is not a Fortinet product, select Custom as the SP Type and copy the SP Entity ID, SP ACS (Login) URL, and SP SLS (Logout) URL from your SPs configuration page.
    • Enter the SP IP address.
    • Copy down the IdP Prefix. It is required when configuring SPs.
  8. Select OK.
  9. A custom login page can be created by moving the Login Page Template toggle to the On position and selecting Customize.

To configure FortiAnalyzer as a service provider:

  1. Go to System Settings > SAML SSO.
  2. Select Service Provider(SP).
  3. Select Fortinet as the IdP Type.
  4. Enter the IdP IP address and the IdP prefix that you obtained while configuring the IdP device.
  5. Select the IdP certificate.

If this is a first-time set up, you can import the IdP certificate that you downloaded while configuring the IdP device.

  1. Confirm that the information is correct and select Apply.
  2. Repeat the steps for each FAZ/FMG that is to be set as a service provider.

Remote authentication server groups – FortiAnalyzer – FortiOS 6.2.3

Remote authentication server groups

Remote authentication server groups can be used to extend wildcard administrator access. Normally, a wildcard administrator can only be created for a single server. If multiple servers of different types are grouped, a wildcard administrator can be applied to all of the servers in the group.

Multiple servers of the same type can be grouped to act as backups – if one server fails, the administrator can still be authenticated by another server in the group.

To use a server group to authenticate administrators, you must configure the group before configuring the administrator accounts that will use it.

Remote authentication server groups can only be managed using the CLI. For more information, see the FortiAnalyzer CLI Reference.

To create a new remote authentication server group:

  1. Open the admin group command shell:

config system admin group

  1. Create a new group, or edit an already create group: edit <group name>
  2. Add remote authentication servers to the group:

set member <server name> <server name> …

  1. Apply your changes: end

To edit the servers in a group:

  1. Enter the following CLI commands:

config system admin group edit <group name> set member <server name> <server name> …

end

Only the servers listed in the command will be in the group.

To remove all the servers from the group:

  1. Enter the following CLI commands:

config system admin group edit <group name> unset member

end

All of the servers in the group will be removed.

To delete a group:

  1. Enter the following CLI commands:

config system admin group delete <group name>

end

TACACS+ servers – FortiAnalyzer – FortiOS 6.2.3

TACACS+ servers

Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other network computing devices via one or more centralized servers. It allows a client to accept a user name and password and send a query to a TACACS authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user. The default TCP port for a TACACS+ server is 49.

If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+ server, the FortiAnalyzer unit contacts the TACACS+ server for authentication. If the TACACS+ server can authenticate the administrator, they are successfully authenticated with the FortiAnalyzer unit. If the TACACS+ server cannot authenticate the administrator, the connection is refused by the FortiAnalyzer unit.

To use a TACACS+ server to authenticate administrators, you must configure the server before configuring the administrator accounts that will use it.

To add a TACACS+ server:

  1. Go to System Settings > Admin > Remote Authentication Server.
  2. Select Create New > TACACS+ Server from the toolbar. The New TACACS+ Server pane opens.
  3. Configure the following settings, and then click OK to add the TACACS+ server.
Name Enter a name to identify the TACACS+ server.
Server Name/IP Enter the IP address or fully qualified domain name of the TACACS+ server.
Port Enter the port for TACACS+ traffic. The default port is 49.
Server Key Enter the key to access the TACACS+ server. The server key can be a maximum of 16 characters in length.
Authentication Type Select the authentication type the TACACS+ server requires. If you select the default ANY, FortiAnalyzer tries all authentication types.

RADIUS servers – FortiAnalyzer – FortiOS 6.2.3

RADIUS servers

Remote Authentication Dial-in User (RADIUS) is a user authentication and network-usage accounting system. When users connect to a server they type a user name and password. This information is passed to a RADIUS server, which authenticates the user and authorizes access to the network.

You can create or edit RADIUS server entries in the server list to support authentication of administrators. When an administrator account’s type is set to RADIUS, the FortiAnalyzer unit uses the RADIUS server to verify the administrator password at log on. The password is not stored on the FortiAnalyzer unit.

To use a RADIUS server to authenticate administrators, you must configure the server before configuring the administrator accounts that will use it.

To add a RADIUS server:

  1. Go to System Settings > Admin > Remote Authentication Server.
  2. Select Create New > RADIUS Server from the toolbar. The New RADIUS Server pane opens.
  3. Configure the following settings, and then click OK to add the RADIUS server.
Name Enter a name to identify the RADIUS server.
Server Name/IP Enter the IP address or fully qualified domain name of the RADIUS server.
Port Enter the port for RADIUS traffic. The default port is 1812. Some RADIUS servers use port 1645.
Server Secret Enter the RADIUS server secret. Click the eye icon to Show or Hide the server secret.
Test Connectivity Click Test Connectivity to test the connectivity with the RADIUS server. Shows success or failure.
Test User Credentials Click Test UserCredentials to test the user credentials. Shows success or failure.
Secondary Server Name/IP Enter the IP address or fully qualified domain name of the secondary RADIUS server.
Secondary Server Secret Enter the secondary RADIUS server secret.
Authentication Type Select the authentication type the RADIUS server requires. If you select the default ANY, FortiAnalyzer tries all authentication types.
Advanced Options  
nas-ip Specify the IP address for the Network Attached Storage (NAS).