Fortinet black logo

Best Practices

Home FortiGate / FortiOS 7.0.0 Best Practices

User authentication for management network access

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
6.0.0
Copy Link
Copy Doc ID 7c8e21ef-1be2-11ec-8c53-00505692583a:127480
Download PDF

User authentication for management network access

Controlling who can access the FortiGate, and what permission they have, is integral to the security of your network.

Who can access the FortiGate

Users can log in to the FortiGate by authenticating locally with the FortiGate, or with a remote access server that is integrated with the FortiGate, such as LDAP or RADIUS servers.

For local accounts on the FortiGate, define a password policy to ensure a minimum complexity level.

Remote authentication servers enforce their own password policies. They also provide more configuration options. For example, you can use pre-defined security groups to enable access to a group of users. If an administrator's access needs to be removed, when their account is disabled in the remote access server, they are no longer able to log in to the FortiGate.

Do not use shared accounts to access the FortiGate. Shared accounts are more likely to be compromised, are more difficult to maintain as password updates must be disseminated to all users, and make it impossible to audit access to the FortiGate.

In addition to accounts for GUI and CLI administration, the FortiGate can be managed with API calls by API users who are required to generate authorization tokens for REST API messages. If the FortiGate is managed by running scripts over SSH, authenticate users using certificates to avoid storing and maintaining passwords in the application that is making the SSH connection.

What can administrators access

The features that an administrator can access should be limited to the scope of that administrator's work to reduce possible attack vectors. The access profile tied to the user account defines the areas on the FortiGate that the administrator can access, and what they can do in those areas. The list of users with access should be audited regularly to ensure that it is current.

How can users access the FortiGate

Limit access to the FortiGate to a management interface on a management network. Trusted hosts can also be used to specify the IP addresses or subnets that can log in to the FortiGate.

When authenticating to the FortiGate, implement multi-factor authentication (MFA). This makes it significantly more difficult for an attacker to gain access to the FortiGate.

Previous
Next

User authentication for management network access

Controlling who can access the FortiGate, and what permission they have, is integral to the security of your network.

Who can access the FortiGate

Users can log in to the FortiGate by authenticating locally with the FortiGate, or with a remote access server that is integrated with the FortiGate, such as LDAP or RADIUS servers.

For local accounts on the FortiGate, define a password policy to ensure a minimum complexity level.

Remote authentication servers enforce their own password policies. They also provide more configuration options. For example, you can use pre-defined security groups to enable access to a group of users. If an administrator's access needs to be removed, when their account is disabled in the remote access server, they are no longer able to log in to the FortiGate.

Do not use shared accounts to access the FortiGate. Shared accounts are more likely to be compromised, are more difficult to maintain as password updates must be disseminated to all users, and make it impossible to audit access to the FortiGate.

In addition to accounts for GUI and CLI administration, the FortiGate can be managed with API calls by API users who are required to generate authorization tokens for REST API messages. If the FortiGate is managed by running scripts over SSH, authenticate users using certificates to avoid storing and maintaining passwords in the application that is making the SSH connection.

What can administrators access

The features that an administrator can access should be limited to the scope of that administrator's work to reduce possible attack vectors. The access profile tied to the user account defines the areas on the FortiGate that the administrator can access, and what they can do in those areas. The list of users with access should be audited regularly to ensure that it is current.

How can users access the FortiGate

Limit access to the FortiGate to a management interface on a management network. Trusted hosts can also be used to specify the IP addresses or subnets that can log in to the FortiGate.

When authenticating to the FortiGate, implement multi-factor authentication (MFA). This makes it significantly more difficult for an attacker to gain access to the FortiGate.

Previous
Next