Fortinet black logo

Best Practices

Home FortiGate / FortiOS 7.0.0 Best Practices

Basic configuration

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
6.0.0
Copy Link
Copy Doc ID 7c8e21ef-1be2-11ec-8c53-00505692583a:432273
Download PDF

Basic configuration

As the first step on a new deployment, review default settings such as administrator passwords, certificates for GUI and SSL VPN access, SSH keys, open administrative ports on interfaces, and default firewall policies.

As soon as the FortiGate is connected to the internet it is exposed to external risks, such as unauthorized access, man-in-the-middle attacks, spoofing, DoS attacks, and other malicious activities from malicious actors. Either use the start up wizard or manually reconfigure the default settings to tighten your security from the beginning.

For instructions on connecting to your devices GUI and CLI, see the FortiOS Administration Guide and the FortiGate QuickStart Guides.

  • Operating mode:

    NAT mode is preferred for security purposes. NAT mode policies translate addresses in a more secure zone from users that are in a less secure zone using a NATed IP address or IP address pool. This layer of obfuscation prevents malicious actors on the internet from knowing the IP addresses of the resources in your LAN and DMZ.

    Use transparent mode when a network is complex and does not allow for changes in the IP addressing scheme.

  • Firmware:

    If the shipped firmware is not the firmware that you will be running, either load the required firmware before doing any configuration, or establish remote access for the additional firmware upload options (SFTP, FTP, SCP, HTTPS) and then load the required firmware.

  • Hostname:

    Use a meaningful hostname. It is used in the CLI prompt, as the SNMP system name, as the FortiGate Cloud device name, and as the device name in an HA configuration.

  • System time:

    Several FortiGate features rely on an accurate system time, such as logging and certificate related functions. It is recommended that you use a Network Time Protocol (NTP) or Precision Time Protocol (PTP) server to set the system time. If necessary, the system time can be set manually.

  • Administrator password:

    The admin administrator password must be set when you first log in to the FortiGate. Ensure that the password is unique and has adequate complexity.

  • Management interface:

    Configure the IP address, subnet mask, and only the required administrative access services (such as HTTPS and SSH) on the management interface.

Previous
Next

Basic configuration

As the first step on a new deployment, review default settings such as administrator passwords, certificates for GUI and SSL VPN access, SSH keys, open administrative ports on interfaces, and default firewall policies.

As soon as the FortiGate is connected to the internet it is exposed to external risks, such as unauthorized access, man-in-the-middle attacks, spoofing, DoS attacks, and other malicious activities from malicious actors. Either use the start up wizard or manually reconfigure the default settings to tighten your security from the beginning.

For instructions on connecting to your devices GUI and CLI, see the FortiOS Administration Guide and the FortiGate QuickStart Guides.

  • Operating mode:

    NAT mode is preferred for security purposes. NAT mode policies translate addresses in a more secure zone from users that are in a less secure zone using a NATed IP address or IP address pool. This layer of obfuscation prevents malicious actors on the internet from knowing the IP addresses of the resources in your LAN and DMZ.

    Use transparent mode when a network is complex and does not allow for changes in the IP addressing scheme.

  • Firmware:

    If the shipped firmware is not the firmware that you will be running, either load the required firmware before doing any configuration, or establish remote access for the additional firmware upload options (SFTP, FTP, SCP, HTTPS) and then load the required firmware.

  • Hostname:

    Use a meaningful hostname. It is used in the CLI prompt, as the SNMP system name, as the FortiGate Cloud device name, and as the device name in an HA configuration.

  • System time:

    Several FortiGate features rely on an accurate system time, such as logging and certificate related functions. It is recommended that you use a Network Time Protocol (NTP) or Precision Time Protocol (PTP) server to set the system time. If necessary, the system time can be set manually.

  • Administrator password:

    The admin administrator password must be set when you first log in to the FortiGate. Ensure that the password is unique and has adequate complexity.

  • Management interface:

    Configure the IP address, subnet mask, and only the required administrative access services (such as HTTPS and SSH) on the management interface.

Previous
Next