Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

General considerations

  1. As the first step on a new deployment, review default settings such as administrator passwords, certificates for GUI and SSL VPN access, SSH keys, open administrative ports on interfaces, and default firewall policies. As soon as the FortiGate is connected to the internet it is exposed to external risks, such as unauthorized access, man-in-the-middle attacks, spoofing, DoS attacks, and other malicious activities from malicious actors. Either use the start up wizard or manually reconfigure the default settings to tighten your security from the beginning, thereby securing your network to its full potential.
  2. NAT mode is preferred for security purposes. NAT mode policies translate addresses in a more secure zone from users in a less secure zone using a NATed IP address or IP address pool. This layer of obfuscation prevents malicious actors on the internet from knowing the IP addresses of your resources in your LAN and DMZ.
  3. Use virtual domains (VDOMs) to group related interfaces or VLAN subinterfaces. Using VDOMs partitions networks and adds security by limiting the scope of threats.
  4. Use transparent mode when a network is complex and does not allow for changes in the IP addressing scheme.
  5. When there are multiple Fortinet devices in the topology, use the Fortinet Security Fabric to easily manage the devices together. A Fortinet Security Fabric includes a root FortiGate, downstream FortiGates, and other Fortinet Fabric devices. It is recommended to use a maximum of 35 downstream FortiGates.

General considerations

  1. As the first step on a new deployment, review default settings such as administrator passwords, certificates for GUI and SSL VPN access, SSH keys, open administrative ports on interfaces, and default firewall policies. As soon as the FortiGate is connected to the internet it is exposed to external risks, such as unauthorized access, man-in-the-middle attacks, spoofing, DoS attacks, and other malicious activities from malicious actors. Either use the start up wizard or manually reconfigure the default settings to tighten your security from the beginning, thereby securing your network to its full potential.
  2. NAT mode is preferred for security purposes. NAT mode policies translate addresses in a more secure zone from users in a less secure zone using a NATed IP address or IP address pool. This layer of obfuscation prevents malicious actors on the internet from knowing the IP addresses of your resources in your LAN and DMZ.
  3. Use virtual domains (VDOMs) to group related interfaces or VLAN subinterfaces. Using VDOMs partitions networks and adds security by limiting the scope of threats.
  4. Use transparent mode when a network is complex and does not allow for changes in the IP addressing scheme.
  5. When there are multiple Fortinet devices in the topology, use the Fortinet Security Fabric to easily manage the devices together. A Fortinet Security Fabric includes a root FortiGate, downstream FortiGates, and other Fortinet Fabric devices. It is recommended to use a maximum of 35 downstream FortiGates.