Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hardening your FortiGate

    Home FortiGate / FortiOS 6.4.0 Hardening your FortiGate
    6.4.0
    6.4.0
    6.2.0
    6.0.0
    5.6.0

    System administrator best practices

    System administrator best practices

    This section describes a collection of changes you can implement to make administrative access to the GUI and CLI more secure.

    Disable administrative access to the external (Internet-facing) interface

    When possible, don’t allow administration access on the external (Internet-facing) interface.

    To disable administrative access, go to Network > Interfaces, edit the external interface and disable HTTPS, PING, HTTP, SSH, and TELNET under Administrative Access.

    From the CLI:

    config system interface

    edit <external-interface-name>

    unset allowaccess

    end

    Allow only HTTPS access to the GUI and SSH access to the CLI

    For greater security never allow HTTP or Telnet administrative access to a FortiGate interface, only allow HTTPS and SSH access. You can change these settings for individual interfaces by going to Network > Interfaces and adjusting the administrative access to each interface.

    From the CLI:

    config system interface

    edit <interface-name>

    set allowaccess https ssh

    end

    Require TLS 1.2 for HTTPS administrator access

    Use the following command to require TLS 1.2 for HTTPS administrator access to the GUI:

    config system global

    set admin-https-ssl-versions tlsv1-2

    end

    TLS 1.2 is currently the most secure SSL/TLS supported version for SSL-encrypted administrator access.

    Re-direct HTTP GUI logins to HTTPS

    Go to System > Settings > Administrator Settings and enable Redirect to HTTPS to make sure that all attempted HTTP login connections are redirected to HTTPS.

    From the CLI:

    config system global

    set admin-https-redirect enable

    end

    Change the HTTPS and SSH admin access ports to non-standard ports

    Go to System > Settings > Administrator Settings and change the HTTPS and SSH ports.

    You can change the default port configurations for HTTPS and SSH administrative access for added security. To connect to a non-standard port, the new port number must be included in the collection request. For example:

    • If you change the HTTPS port to 7734, you would browse to https://<ip-address>:7734.
    • If you change the SSH port to 2345, you would connect to ssh admin@<ip-address>:2345

    To change the HTTPS and SSH login ports from the CLI:

    config system global

    set admin-sport 7734

    set admin-ssh-port 2345

    end

    If you change to the HTTPS or SSH port numbers, make sure your changes do not conflict with ports used for other services.

    Maintain short login timeouts

    Set the idle timeout to a short time to avoid the possibility of an administrator walking away from their management computer and leaving it exposed to unauthorized personnel.

    To set the administrator idle timeout, go to System > Settings and enter the amount of time for the Idle timeout. A best practice is to keep the default time of 5 minutes.

    To set the administrator idle timeout from the CLI:

    config system global

    set admintimeout 5

    end

    You can use the following command to adjust the grace time permitted between making an SSH connection and authenticating. The range can be between 10 and 3600 seconds, the default is 120 seconds (minutes). By shortening this time, you can decrease the chances of someone attempting a brute force attack a from being successful. For example, you could set the time to 30 seconds.

    config system global

    set admin-ssh-grace-time 30

    end

    Restrict logins from trusted hosts

    Setting up trusted hosts for an administrator limits the addresses from where they can log into FortiOS. The trusted hosts configuration applies to most forms of administrative access including HTTPS, SSH, and SNMP. When you identify a trusted host for an administrator account, FortiOS accepts that administrator’s login only from one of the trusted hosts. A login, even with proper credentials, from a non-trusted host is dropped.

    note icon Even if you have configured trusted hosts, if you have enabled ping administrative access on a FortiGate interface, it will respond to ping requests from any IP address.

    To identify trusted hosts, go to System > Administrators, edit the administrator account, enable Restrict login to trusted hosts, and add up to ten trusted host IP addresses.

    To add two trusted hosts from the CLI:

    config system admin

    edit <administrator-name>

    set trustedhost1 172.25.176.23 255.255.255.255

    set trustedhost2 172.25.177.0 255.255.255.0

    end

    Trusted host IP addresses can identify individual hosts or subnets. Just like firewall policies, FortiOS searches through the list of trusted hosts in order and acts on the first match it finds. When you configure trusted hosts, start by adding specific addresses at the top of the list. Follow with more general IP addresses. You don't have to add addresses to all of the trusted hosts as long as all specific addresses are above all of the 0.0.0.0 0.0.0.0 addresses.

    Set up two-factor authentication for administrators

    FortiOS supports FortiToken and FortiToken Mobile 2-factor authentication. FortiToken Mobile is available for iOS and Android devices from their respective application stores.

    Every registered FortiGate unit includes two trial tokens for free. You can purchase additional tokens from your reseller or from Fortinet.

    To assign a token to an administrator, go to System > Administrators and select Enable Two-factor Authentication for each administrator.

    Create multiple administrator accounts

    Rather than allowing all administrators to access ForiOS with the same administrator account, you can create accounts for each person or each role that requires administrative access. This configuration allows you to track the activities of each administrator or administrative role.

    If you want administrators to have different functions you can add different administrator profiles. Go to System > Admin Profiles and select Create New.

    Modify administrator account lockout duration and threshold values

    By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three attempts to log into their account before locking the account for a set amount of time.

    Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to enter a password again (admin-lockout-duration) can be configured within the CLI.

    To configure the lockout options:

    config system global

    set admin-lockout-threshold <failed_attempts>

    set admin-lockout-duration <seconds>

    end

    The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The admin-lockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.

    Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the FortiGate.

    Example

    To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five minute duration before the administrator can try to log in again, enter the commands:

    config system global

    set admin-lockout-threshold 1

    set admin-lockout-duration 300

    end

    note icon

    If the time span between the first failed login attempt and the admin-lockout-threshold failed login attempt is less than admin-lockout-duration, the lockout will be triggered.

    Rename the admin administrator account

    You can improve security by renaming the admin account. To do this, create a new administrator account with the super_admin admin profile and log in as that administrator. Then go to System > Administrators and edit the admin administrator and change the User Name. Renaming the admin account makes it more difficult for an attacker to log into FortiOS.

    Add administrator disclaimers

    FortiOS can display a disclaimer before or after logging into the GUI or CLI (or both). In either case the administrator must read and accept the disclaimer before they can proceed.

    Use the following command to display a disclaimer before logging in:

    config system global

    set pre-login-banner enable

    end

    Use the following command to display a disclaimer after logging in:

    config system global

    set post-login-banner enable

    end

    You can customize the replacement messages for these disclaimers by going to System > Replacement Messages. Select Extended View to view and edit the Administrator replacement messages.

    From the CLI:

    config system replacemsg admin pre_admin-disclaimer-text

    config system replacemsg admin post_admin-disclaimer-text

    Previous
    Next

    System administrator best practices

    System administrator best practices

    This section describes a collection of changes you can implement to make administrative access to the GUI and CLI more secure.

    Disable administrative access to the external (Internet-facing) interface

    When possible, don’t allow administration access on the external (Internet-facing) interface.

    To disable administrative access, go to Network > Interfaces, edit the external interface and disable HTTPS, PING, HTTP, SSH, and TELNET under Administrative Access.

    From the CLI:

    config system interface

    edit <external-interface-name>

    unset allowaccess

    end

    Allow only HTTPS access to the GUI and SSH access to the CLI

    For greater security never allow HTTP or Telnet administrative access to a FortiGate interface, only allow HTTPS and SSH access. You can change these settings for individual interfaces by going to Network > Interfaces and adjusting the administrative access to each interface.

    From the CLI:

    config system interface

    edit <interface-name>

    set allowaccess https ssh

    end

    Require TLS 1.2 for HTTPS administrator access

    Use the following command to require TLS 1.2 for HTTPS administrator access to the GUI:

    config system global

    set admin-https-ssl-versions tlsv1-2

    end

    TLS 1.2 is currently the most secure SSL/TLS supported version for SSL-encrypted administrator access.

    Re-direct HTTP GUI logins to HTTPS

    Go to System > Settings > Administrator Settings and enable Redirect to HTTPS to make sure that all attempted HTTP login connections are redirected to HTTPS.

    From the CLI:

    config system global

    set admin-https-redirect enable

    end

    Change the HTTPS and SSH admin access ports to non-standard ports

    Go to System > Settings > Administrator Settings and change the HTTPS and SSH ports.

    You can change the default port configurations for HTTPS and SSH administrative access for added security. To connect to a non-standard port, the new port number must be included in the collection request. For example:

    • If you change the HTTPS port to 7734, you would browse to https://<ip-address>:7734.
    • If you change the SSH port to 2345, you would connect to ssh admin@<ip-address>:2345

    To change the HTTPS and SSH login ports from the CLI:

    config system global

    set admin-sport 7734

    set admin-ssh-port 2345

    end

    If you change to the HTTPS or SSH port numbers, make sure your changes do not conflict with ports used for other services.

    Maintain short login timeouts

    Set the idle timeout to a short time to avoid the possibility of an administrator walking away from their management computer and leaving it exposed to unauthorized personnel.

    To set the administrator idle timeout, go to System > Settings and enter the amount of time for the Idle timeout. A best practice is to keep the default time of 5 minutes.

    To set the administrator idle timeout from the CLI:

    config system global

    set admintimeout 5

    end

    You can use the following command to adjust the grace time permitted between making an SSH connection and authenticating. The range can be between 10 and 3600 seconds, the default is 120 seconds (minutes). By shortening this time, you can decrease the chances of someone attempting a brute force attack a from being successful. For example, you could set the time to 30 seconds.

    config system global

    set admin-ssh-grace-time 30

    end

    Restrict logins from trusted hosts

    Setting up trusted hosts for an administrator limits the addresses from where they can log into FortiOS. The trusted hosts configuration applies to most forms of administrative access including HTTPS, SSH, and SNMP. When you identify a trusted host for an administrator account, FortiOS accepts that administrator’s login only from one of the trusted hosts. A login, even with proper credentials, from a non-trusted host is dropped.

    note icon Even if you have configured trusted hosts, if you have enabled ping administrative access on a FortiGate interface, it will respond to ping requests from any IP address.

    To identify trusted hosts, go to System > Administrators, edit the administrator account, enable Restrict login to trusted hosts, and add up to ten trusted host IP addresses.

    To add two trusted hosts from the CLI:

    config system admin

    edit <administrator-name>

    set trustedhost1 172.25.176.23 255.255.255.255

    set trustedhost2 172.25.177.0 255.255.255.0

    end

    Trusted host IP addresses can identify individual hosts or subnets. Just like firewall policies, FortiOS searches through the list of trusted hosts in order and acts on the first match it finds. When you configure trusted hosts, start by adding specific addresses at the top of the list. Follow with more general IP addresses. You don't have to add addresses to all of the trusted hosts as long as all specific addresses are above all of the 0.0.0.0 0.0.0.0 addresses.

    Set up two-factor authentication for administrators

    FortiOS supports FortiToken and FortiToken Mobile 2-factor authentication. FortiToken Mobile is available for iOS and Android devices from their respective application stores.

    Every registered FortiGate unit includes two trial tokens for free. You can purchase additional tokens from your reseller or from Fortinet.

    To assign a token to an administrator, go to System > Administrators and select Enable Two-factor Authentication for each administrator.

    Create multiple administrator accounts

    Rather than allowing all administrators to access ForiOS with the same administrator account, you can create accounts for each person or each role that requires administrative access. This configuration allows you to track the activities of each administrator or administrative role.

    If you want administrators to have different functions you can add different administrator profiles. Go to System > Admin Profiles and select Create New.

    Modify administrator account lockout duration and threshold values

    By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three attempts to log into their account before locking the account for a set amount of time.

    Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to enter a password again (admin-lockout-duration) can be configured within the CLI.

    To configure the lockout options:

    config system global

    set admin-lockout-threshold <failed_attempts>

    set admin-lockout-duration <seconds>

    end

    The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The admin-lockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.

    Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the FortiGate.

    Example

    To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five minute duration before the administrator can try to log in again, enter the commands:

    config system global

    set admin-lockout-threshold 1

    set admin-lockout-duration 300

    end

    note icon

    If the time span between the first failed login attempt and the admin-lockout-threshold failed login attempt is less than admin-lockout-duration, the lockout will be triggered.

    Rename the admin administrator account

    You can improve security by renaming the admin account. To do this, create a new administrator account with the super_admin admin profile and log in as that administrator. Then go to System > Administrators and edit the admin administrator and change the User Name. Renaming the admin account makes it more difficult for an attacker to log into FortiOS.

    Add administrator disclaimers

    FortiOS can display a disclaimer before or after logging into the GUI or CLI (or both). In either case the administrator must read and accept the disclaimer before they can proceed.

    Use the following command to display a disclaimer before logging in:

    config system global

    set pre-login-banner enable

    end

    Use the following command to display a disclaimer after logging in:

    config system global

    set post-login-banner enable

    end

    You can customize the replacement messages for these disclaimers by going to System > Replacement Messages. Select Extended View to view and edit the Administrator replacement messages.

    From the CLI:

    config system replacemsg admin pre_admin-disclaimer-text

    config system replacemsg admin post_admin-disclaimer-text

    Previous
    Next