FortiGate Version 3.0 MR4 Administration Guide
148 01-30004-0203-20070102
Access profiles System Admin
4 Select the type of authentication:
If you are using RADIUS authentication for this administrator:
• Select RADIUS.
• Select Wildcard if you want all accounts on the RADIUS server to be
administrators of this FortiGate unit.
• Select the administrators user group from the User Group list.
If you are using PKI certificate-based authentication for this administrator:
• Select PKI.
• Select the administrators user group from the User Group list.
5 Type and confirm the password for the administrator account.
This step does not apply if you are using RADIUS Wildcard or PKI certificate-
based authentication.
6 Optionally, type a Trusted Host IP address and netmask from which the
administrator can log into the web-based manager.
7 Select the access profile for the administrator.
8 Select OK.
Using trusted hosts
Setting trusted hosts for all of your administrators increases the security of your
network by further restricting administrative access. In addition to knowing the
password, an administrator must connect only through the subnet or subnets you
specify. You can even restrict an administrator to a single IP address if you define
only one trusted host IP address with a netmask of 255.255.255.255.
When you set trusted hosts for all administrators, the FortiGate unit does not
respond to administrative access attempts from any other hosts. This provides the
highest security. If you leave even one administrator unrestricted, the unit accepts
administrative access attempts on any interface that has administrative access
enabled, potentially exposing the unit to attempts to gain unauthorized access.
The trusted hosts you define apply both to the web-based manager and to the CLI
when accessed through telnet or SSH. CLI access through the console connector
is not affected.
The trusted host addresses all default to 0.0.0.0/0. If you set one of the 0.0.0.0/0
addresses to a non-zero address, the other 0.0.0.0/0 will be ignored. The only way
to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0. However, this is
an unsecure configuration.
Access profiles
Each administrator account belongs to an access profile. The access profile
separates FortiGate features into access control categories for which you can
enable read and/or write access. The following table lists the web-based manager
pages to which each category provides access:
To Next Page
Loading...
Need help?
General