What is Fortinet Admin Authentication?

Configuring access to enterprise-grade firewalls is something every network administrator should know how to do. Today we’re going to discuss why you should never use local admin accounts in a Fortigate Firewall, why you should always use remote authentication, and how you can better secure admin access with Fortitoken. 

An Overview of Fortinet Admin Authentication

In this video, CBT Nuggets trainer Keith Barker provides a brief overview of how admin authentication works for Fortinet firewalls.

Why Create Multiple Accounts for Different Admins?

Most networking equipment, including FortiGate Firewalls, have a default admin account. While using only that single admin account is convenient, it’s not something you want to do. Instead, it’s a better idea to create multiple admin accounts.  In this case, each administrator will want their own admin account. Each admin account should be uniquely identifiable, too. 

We do this because IT hardware and appliances keep logs. Devices can be configured so that whenever a change is made to a device, that device logs those changes. If there ever comes a time when you need to review those logs, it’s nice to know who made what changes in your organization.  Otherwise, you would have no idea who did what if everyone used the default admin account. 

There’s another reason to create separate accounts for each administrator. Newbies in the IT world typically think that an administrator has god-like power in the IT space. That can’t be further from the truth, however. 

An administrator only means that a person has access to change and manage systems.  That doesn’t mean that an administrator needs to be able to change and manage all systems. For example, you don’t want software engineers managing  A.D. accounts, nor do you want a systems administrator to configure ports in a firewall. They have different areas of expertise, so they shouldn’t muddle in systems where they are not an expert.

Why Use Remote Authentication for Fortigate Firewalls?

We mentioned in the section above that each administrator should have their own accounts, and they should never use the default admin account. Let’s say that your business has a metric ton of firewalls. 

If your business only has one firewall, it’s easy enough to create a local admin account for each administrator in the firewall. If your business has a hundred firewalls, you don’t want to create a hundred different admin accounts for each administrator. You only want to create one. 

This is why remote authentication is used in conjunction with Fortigate firewalls. It’s more manageable to create a single account in Active Directory or your LDAP server of choice, label an admin as an admin in A.D. and let the Fortigate Firewall confirm that the user attempting to log into it is, In fact, an administrator. This is why we have LDAP servers. They are a great way to centralize user permissions and roles. 

On a different note, you should still use remote authentication with Fortigate Firewalls even if you only have one firewall in the business. Using remote authentication makes it far easier to cycle administrators as they come and go from the business. 

What is Fortitoken?

We just discussed why you don’t create local accounts for admins in Fortigate Firewalls and why Fortigate Firewalls should use remote authentication instead. What if someone steals the username and password of one of your administrators? That could be game over for an organization. 

In this case, you may also want to use 2FA or MFA. Let’s focus on MFA.  MFA stands for multi-factor authentication. It’s like using two passwords, a password and biometric reading, or a password and text message together. The lines are a little blurred between 2FA and MFA, but more often than not, both can be used interchangeably just as long as you understand there is a difference. 

MFA boils down to something you know, like your password, and something you have, like a thumbprint or one-time token. Identity is proved by using both something you know and something you have in conjunction with each other. 

There are a lot of different ways to implement MFA. MFA is becoming popular in the enterprise world. If your business uses Office 365, chances are 2FA is enabled by default. 

Fortitoken is an MFA service provided directly by the Fortigate Firewalls. It’s the easiest way to configure MFA with Fortigate products. 

Learn More About Fortigate Firewall Authentication

Authentication is a vast topic. There are sciences devoted strictly to authentication, so it goes without saying that we didn’t even scratch the surface of the subject. If you want to learn how to use remote authentication with Fortigate Firewalls.