Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Password policy

    Password policy

    Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if p4ssw0rd is used as a password, it can be cracked.

    Using secure passwords is vital for preventing unauthorized access to your FortiGate. When changing the password, consider the following to ensure better security:

    • Do not use passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.

    • Use numbers in place of letters, for example: passw0rd.

    • Administrator passwords can be up to 64 characters.

    • Include a mixture of numbers, symbols, and upper and lower case letters.

    • Use multiple words together, or possibly even a sentence, for example: correcthorsebatterystaple.

    • Use a password generator.

    • Change the password regularly and always make the new password unique and not a variation of the existing password. For example, do not change from password to password1.

    • Limit the number of passwords that can be reused.

    • Make note of the password and store it in a safe place away from the management computer, in case you forget it; or ensure at least two people know the password in the event one person becomes unavailable. Alternatively, have two different admin logins.

    FortiGate allows you to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password policy.

    If you add a password policy or change the requirements on an existing policy, the next time that administrator logs in to the FortiGate, the administrator is prompted to update the password to meet the new requirements before proceeding to log in.

    For information about setting passwords, see Default administrator password.

    To create a system password policy the GUI:

    1. Go to System > Settings.

    2. In the Password Policy section, configure the options:

      Password history threshold

      Global maximum number of previous passwords saved for each local user and system administrator.

      Password scope

      Where the password policy applies:

      • Off - Password policy is disabled.

      • Admin - Password policy applies to administrators.

      • IPsec - Password policy applies to IPsec pre-shared keys.

      • Both - Password policy applies to both administrators and IPsec pre-shared keys.

      Minimum length

      The minimum length, between 8 and 64 characters.

      Minimum number of new characters.

      		 The number of new characters required.

      Character requirements

      Enable to specify character requirements for the password:

      • Upper case - If the password must contain uppercase (A, B, C) characters.

      • Lower case - If the password must contain lowercase (a, b, c) characters.

      • Numbers (0 - 9) - If the password must contain numbers (1, 2, 3).

      • Special - If the password must contain special or non-alphanumeric characters: !, @, #, $, %, ^, &, *, (, and )

      Allow password reuse

      Applies only to administrators. Available when Password scope set to Admin or Both.

      Disable for unlimited password reuse.

      Enable to specify the number of passwords that can be reused. Choose from:

      • No limit - Allow unlimited password reuse.

      • Specify - Specify how many times a password can be reused. Must be lower than the Password history threshold.

      Password history is visible in the backup configuration.

      Password expiration

      The duration of the password before a new one must be specified.

    3. Click Apply.

    To create a system password policy the CLI:

    The password policy applies to all administrator accounts when enabled, including the built-in admin account named admin. If an existing system administrator account fails to comply with the enabled password policy, the administrator is forced to change passwords on next login.

    1. Configure a global history password limit.

      In this example, the global policy is to save three passwords for each local user and system administrator. 

      config system global
    set user-history-password-threshold 3
end

    2. Configure a password policy for system administrators:

      1. Enable the password policy.

        config system password-policy
    set status enable    
end

      2. Enable password expiration:

        config system password-policy
    set expire-status enable    
end

      3. Set the number of days after which passwords expire, the password criteria, and password reuse limit.

        In this example, the reuse-password-limit is set to 1, which means one of the globally-set three saved passwords can be reused. 

        config system password-policy
    set apply-to {admin-password | ipsec-preshared-key}
    set minimum-length <8-128>
    set min-lower-case-letter <0-128>
    set min-upper-case-letter <0-128>
    set min-non-alphanumeric <0-128>
    set min-number <0-128>
    set min-change-characters <0-128>
    set expire-day 90    
    set reuse-password enableset reuse-password-limit 1
end
    To create a password policy for a local user in the CLI:

    Multiple password policies can be created and applied to different local user accounts.

    1. Configure a global password history limit.

      In this example, the global policy is to save three passwords for each local user and system administrator. 

      config system global
    set user-history-password-threshold 3
end

    2. Configure a password policy for local users:

      1. Before you can configure the password limit, enable expire-status and reuse-password.

        config user password-policy
    edit 1
        set expire-status enable
        set reuse-password enable 
    next
end

      2. Specify the maximum number of times a user can reuse a password.

        In this example, the reuse-password-limit is set to 1, which means one of the globally-set three saved passwords can be reused. 

        config user password-policy
    edit 1
        set reuse-password-limit 1
    next
end

    3. Assign the password policy to a local user.

      In this example, password policy 1 is assigned to local user local2. 

      config user local
    edit "local2"
        set type password
        set passwd-policy "1"
        set passwd ********
    next
end

    4. Add the local user to a firewall policy, an SSL VPN policy, or to FortiGate user groups used in policies.

    Before the password for the local user expires, the FortiOS GUI provides the option to change the password during login or skip the password change.

    If the password for the local user has expired, the FortiOS GUI provides the option to change the password during login. When the local user enters a password that adheres to the policy, the login continues. If the new password has been used too many times before, a warning message is displayed.

    Previous
    Next

    Password policy

    Password policy

    Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if p4ssw0rd is used as a password, it can be cracked.

    Using secure passwords is vital for preventing unauthorized access to your FortiGate. When changing the password, consider the following to ensure better security:

    • Do not use passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.

    • Use numbers in place of letters, for example: passw0rd.

    • Administrator passwords can be up to 64 characters.

    • Include a mixture of numbers, symbols, and upper and lower case letters.

    • Use multiple words together, or possibly even a sentence, for example: correcthorsebatterystaple.

    • Use a password generator.

    • Change the password regularly and always make the new password unique and not a variation of the existing password. For example, do not change from password to password1.

    • Limit the number of passwords that can be reused.

    • Make note of the password and store it in a safe place away from the management computer, in case you forget it; or ensure at least two people know the password in the event one person becomes unavailable. Alternatively, have two different admin logins.

    FortiGate allows you to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password policy.

    If you add a password policy or change the requirements on an existing policy, the next time that administrator logs in to the FortiGate, the administrator is prompted to update the password to meet the new requirements before proceeding to log in.

    For information about setting passwords, see Default administrator password.

    To create a system password policy the GUI:

    1. Go to System > Settings.

    2. In the Password Policy section, configure the options:

      Password history threshold

      Global maximum number of previous passwords saved for each local user and system administrator.

      Password scope

      Where the password policy applies:

      • Off - Password policy is disabled.

      • Admin - Password policy applies to administrators.

      • IPsec - Password policy applies to IPsec pre-shared keys.

      • Both - Password policy applies to both administrators and IPsec pre-shared keys.

      Minimum length

      The minimum length, between 8 and 64 characters.

      Minimum number of new characters.

      		 The number of new characters required.

      Character requirements

      Enable to specify character requirements for the password:

      • Upper case - If the password must contain uppercase (A, B, C) characters.

      • Lower case - If the password must contain lowercase (a, b, c) characters.

      • Numbers (0 - 9) - If the password must contain numbers (1, 2, 3).

      • Special - If the password must contain special or non-alphanumeric characters: !, @, #, $, %, ^, &, *, (, and )

      Allow password reuse

      Applies only to administrators. Available when Password scope set to Admin or Both.

      Disable for unlimited password reuse.

      Enable to specify the number of passwords that can be reused. Choose from:

      • No limit - Allow unlimited password reuse.

      • Specify - Specify how many times a password can be reused. Must be lower than the Password history threshold.

      Password history is visible in the backup configuration.

      Password expiration

      The duration of the password before a new one must be specified.

    3. Click Apply.

    To create a system password policy the CLI:

    The password policy applies to all administrator accounts when enabled, including the built-in admin account named admin. If an existing system administrator account fails to comply with the enabled password policy, the administrator is forced to change passwords on next login.

    1. Configure a global history password limit.

      In this example, the global policy is to save three passwords for each local user and system administrator. 

      config system global
    set user-history-password-threshold 3
end

    2. Configure a password policy for system administrators:

      1. Enable the password policy.

        config system password-policy
    set status enable    
end

      2. Enable password expiration:

        config system password-policy
    set expire-status enable    
end

      3. Set the number of days after which passwords expire, the password criteria, and password reuse limit.

        In this example, the reuse-password-limit is set to 1, which means one of the globally-set three saved passwords can be reused. 

        config system password-policy
    set apply-to {admin-password | ipsec-preshared-key}
    set minimum-length <8-128>
    set min-lower-case-letter <0-128>
    set min-upper-case-letter <0-128>
    set min-non-alphanumeric <0-128>
    set min-number <0-128>
    set min-change-characters <0-128>
    set expire-day 90    
    set reuse-password enableset reuse-password-limit 1
end
    To create a password policy for a local user in the CLI:

    Multiple password policies can be created and applied to different local user accounts.

    1. Configure a global password history limit.

      In this example, the global policy is to save three passwords for each local user and system administrator. 

      config system global
    set user-history-password-threshold 3
end

    2. Configure a password policy for local users:

      1. Before you can configure the password limit, enable expire-status and reuse-password.

        config user password-policy
    edit 1
        set expire-status enable
        set reuse-password enable 
    next
end

      2. Specify the maximum number of times a user can reuse a password.

        In this example, the reuse-password-limit is set to 1, which means one of the globally-set three saved passwords can be reused. 

        config user password-policy
    edit 1
        set reuse-password-limit 1
    next
end

    3. Assign the password policy to a local user.

      In this example, password policy 1 is assigned to local user local2. 

      config user local
    edit "local2"
        set type password
        set passwd-policy "1"
        set passwd ********
    next
end

    4. Add the local user to a firewall policy, an SSL VPN policy, or to FortiGate user groups used in policies.

    Before the password for the local user expires, the FortiOS GUI provides the option to change the password during login or skip the password change.

    If the password for the local user has expired, the FortiOS GUI provides the option to change the password during login. When the local user enters a password that adheres to the policy, the login continues. If the new password has been used too many times before, a warning message is displayed.

    Previous
    Next