As the first step on a new deployment, review default settings such as administrator passwords, certificates for GUI and SSL VPN access, SSH keys, open administrative ports on interfaces, and default firewall policies.
As soon as the FortiGate is connected to the internet it is exposed to external risks, such as unauthorized access, man-in-the-middle attacks, spoofing, DoS attacks, and other malicious activities from malicious actors. Either use the start up wizard or manually reconfigure the default settings to tighten your security from the beginning.
NAT mode is preferred for security purposes. NAT mode policies translate addresses in a more secure zone from users that are in a less secure zone using a NATed IP address or IP address pool. This layer of obfuscation prevents malicious actors on the internet from knowing the IP addresses of the resources in your LAN and DMZ.
Use transparent mode when a network is complex and does not allow for changes in the IP addressing scheme.
If the shipped firmware is not the firmware that you will be running, either load the required firmware before doing any configuration, or establish remote access for the additional firmware upload options (SFTP, FTP, SCP, HTTPS) and then load the required firmware.
Use a meaningful hostname. It is used in the CLI prompt, as the SNMP system name, as the FortiGate Cloud device name, and as the device name in an HA configuration.
Several FortiGate features rely on an accurate system time, such as logging and certificate related functions. It is recommended that you use a Network Time Protocol (NTP) or Precision Time Protocol (PTP) server to set the system time. If necessary, the system time can be set manually.
The admin administrator password must be set when you first log in to the FortiGate. Ensure that the password is unique and has adequate complexity.
Configure the IP address, subnet mask, and only the required administrative access services (such as HTTPS and SSH) on the management interface.