Fortinet black logo

Best Practices

Home FortiGate / FortiOS 7.2.0 Best Practices

Administrative settings

7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
6.0.0
Copy Link
Copy Doc ID 3b0843e9-aada-11ec-9fd1-fa163e15d75b:103945
Download PDF

Administrative settings

The following general administrative settings are recommended:

  • Set the idle timeout time for administrators to a low value, preferably less that ten minutes.

  • Use non-standard HTTPS and SSH ports for administrative access.

  • Disable weak encryption protocols.

  • Disable the maintainer account if the FortiGate device's physical security cannot be guaranteed.

    The built-in maintainer account is used to log in to the FortiGate if you have lost all administrator credentials. Physical access to the FortiGate device is required. If maintainer account is disabled and you lose all of your administrator credentials, then you will no longer be able to access to access the FortiGate and it will need to be reset to factory default settings.

    Note

    The maintainer account has been removed in FortiOS 7.2.4 and later.

  • Replace the certificate that is offered for HTTPS access with a trusted certificate that has the FQDN or IP address of the FortiGate.

  • Configure the Fortinet Security Fabric when multiple FortiGates and fabric devices are used. It provides a single-pane-of-glass administration, allowing administrators access to each device in the fabric using SSO.

    A Fortinet Security Fabric includes a root FortiGate, downstream FortiGates, and other Fortinet fabric devices. A maximum of 35 downstream FortiGates is recommended.

Note

In FortiOS 7.2.6 and later, as part of improvements to reducing memory usage, FortiGate models with 2 GB RAM cannot be the root of the Security Fabric topology or any mid-tier part of the topology. They can only be configured as downstream devices in a Security Fabric or standalone devices.

The affected models are the FortiGate 40F, 60E, 60F, 80E and 90E series devices and their variants.
Previous
Next

Administrative settings

The following general administrative settings are recommended:

  • Set the idle timeout time for administrators to a low value, preferably less that ten minutes.

  • Use non-standard HTTPS and SSH ports for administrative access.

  • Disable weak encryption protocols.

  • Disable the maintainer account if the FortiGate device's physical security cannot be guaranteed.

    The built-in maintainer account is used to log in to the FortiGate if you have lost all administrator credentials. Physical access to the FortiGate device is required. If maintainer account is disabled and you lose all of your administrator credentials, then you will no longer be able to access to access the FortiGate and it will need to be reset to factory default settings.

    Note

    The maintainer account has been removed in FortiOS 7.2.4 and later.

  • Replace the certificate that is offered for HTTPS access with a trusted certificate that has the FQDN or IP address of the FortiGate.

  • Configure the Fortinet Security Fabric when multiple FortiGates and fabric devices are used. It provides a single-pane-of-glass administration, allowing administrators access to each device in the fabric using SSO.

    A Fortinet Security Fabric includes a root FortiGate, downstream FortiGates, and other Fortinet fabric devices. A maximum of 35 downstream FortiGates is recommended.

Note

In FortiOS 7.2.6 and later, as part of improvements to reducing memory usage, FortiGate models with 2 GB RAM cannot be the root of the Security Fabric topology or any mid-tier part of the topology. They can only be configured as downstream devices in a Security Fabric or standalone devices.

The affected models are the FortiGate 40F, 60E, 60F, 80E and 90E series devices and their variants.
Previous
Next