System Admin Administrators
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424 221
http://docs.fortinet.com/ • Feedback
3 Enter the Name of the PKI user.
4 For Subject, enter the text string that appears in the subject field of the certificate of the
authenticating user.
5 Select the CA certificate used to authenticate this user.
6 Select OK.
To create the user group (PKI)
1 Go to User > User Group.
2 Select Create New, or select the Edit icon beside an existing user group.
3 Enter the Name that identifies the user group.
4 For Type, enter Firewall.
5 In the Available Users/Groups list, select the PKI user name and move it to the
Members list.
6 Select OK.
To configure an administrator to authenticate with a PKI certificate
1 Go to System > Admin.
2 Select Create New, or select the Edit icon beside an existing administrator.
3 Enter or select the following:
4 Configure additional features as required. For more information, see “Configuring an
administrator account” on page 212.
5 Select OK.
Using trusted hosts
Setting trusted hosts for all of your administrators increases the security of your network
by further restricting administrative access. In addition to knowing the password, an
administrator must connect only through the subnet or subnets you specify. You can even
restrict an administrator to a single IP address if you define only one trusted host IP
address with a netmask of 255.255.255.255.
When you set trusted hosts for all administrators, the FortiGate unit does not respond to
administrative access attempts from any other hosts. This provides the highest security. If
you leave even one administrator unrestricted, the unit accepts administrative access
attempts on any interface that has administrative access enabled, potentially exposing the
unit to attempts to gain unauthorized access.
The trusted hosts you define apply both to the web-based manager and to the CLI when
accessed through Telnet or SSH. CLI access through the console connector is not
affected.
The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the
0.0.0.0/0.0.0.0 addresses to a non-zero address, the other 0.0.0.0/0.0.0.0 will be ignored.
The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0.0.0.0.
However, this configuration is less secure.
Administrator A name that identifies the administrator.
Type PKI.
User Group The user group that includes the PKI user as a member.
Admin Profile The admin profile to apply to the administrator.
To Next Page
Loading...