Fortinet 212 FortiWeb 5.0 Patch 6 Administration Guide
Administrators
In its factory default configuration, FortiWeb has one administrator account named admin. This
administrator has permissions that grant full access to FortiWeb’s features.
To prevent accidental changes to the configuration, it’s best if only network administrators —
and if possible, only a single person — use the admin account. You can use the admin
administrator account to configure more accounts for other people. Accounts can be made with
different scopes of access. If you require such role-based access control (RBAC) restrictions, or
if you simply want to harden security or prevent inadvertent changes to other administrators’
areas, you can do so via access profiles. See “Configuring access profiles” on page 216.
For example, you could create an account for a security auditor who must only be able to view
the configuration and logs, but not change them.
Administrators may be able to access the web UI, the CLI, and use ping/traceroute through the
network, depending on:
the account’s trusted hosts (“Trusted hosts” on page 51)
the protocols enabled for each of the FortiWeb appliance’s network interfaces (“Configuring
the network interfaces” on page 113)
To determine which administrators are currently logged in, use the CLI command
get system logged-users. For details, see the FortiWeb CLI Reference.
To configure an administrator account
1. Before configuring the account:
Configure the access profile that will govern the account’s permissions (see “Configuring
access profiles” on page 216).
If you already have accounts that are defined on an LDAP (e.g. Microsoft Active Directory
or IBM Lotus Domino) or RADIUS server, FortiWeb can query the server in order to
authenticate your administrators. Configure the query set (see “Groupin g remote
authentication queries for administrators” on page 218).
2. Go to System > Admin > Administrators.
To access this part of the web UI, your administrator's account access profile must have
Read and Write permission to items in the Admin Users category. For details, see
“Permissions” on page 47.
3. Click Create New.
A dialog appears.
To prevent multiple administrators from logging in simultaneously, which could allow them to
inadvertently overwrite each other’s changes, enable Enable Single Admin User login. For
details, see “Global web UI & CLI settings” on page 51.