Fortinet 5.0 Patch 6 Administrators

Fortinet 212 FortiWeb 5.0 Patch 6 Administration Guide

Administrators

In its factory default configuration, FortiWeb has one administrator account named admin. This

administrator has permissions that grant full access to FortiWeb’s features.

To prevent accidental changes to the configuration, it’s best if only network administrators —

and if possible, only a single person — use the admin account. You can use the admin

administrator account to configure more accounts for other people. Accounts can be made with

different scopes of access. If you require such role-based access control (RBAC) restrictions, or

if you simply want to harden security or prevent inadvertent changes to other administrators’

areas, you can do so via access profiles. See “Configuring access profiles” on page 216.

For example, you could create an account for a security auditor who must only be able to view

the configuration and logs, but not change them.

Administrators may be able to access the web UI, the CLI, and use ping/traceroute through the

network, depending on:

• the account’s trusted hosts (“Trusted hosts” on page 51)

• the protocols enabled for each of the FortiWeb appliance’s network interfaces (“Configuring

the network interfaces” on page 113)

To determine which administrators are currently logged in, use the CLI command

get system logged-users. For details, see the FortiWeb CLI Reference.

To configure an administrator account

1. Before configuring the account:

• Configure the access profile that will govern the account’s permissions (see “Configuring

access profiles” on page 216).

• If you already have accounts that are defined on an LDAP (e.g. Microsoft Active Directory

or IBM Lotus Domino) or RADIUS server, FortiWeb can query the server in order to

authenticate your administrators. Configure the query set (see “Groupin g remote

authentication queries for administrators” on page 218).

2. Go to System > Admin > Administrators.

To access this part of the web UI, your administrator's account access profile must have

Read and Write permission to items in the Admin Users category. For details, see

“Permissions” on page 47.

3. Click Create New.

A dialog appears.

To prevent multiple administrators from logging in simultaneously, which could allow them to

inadvertently overwrite each other’s changes, enable Enable Single Admin User login. For

details, see “Global web UI & CLI settings” on page 51.