Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

General security tuning

The following is a general list of techniques and strategies to improve the security of your FortiMail device.

  • Install the FortiMail unit in a secure location, such as a locked room with restricted access. Prohibiting access to the unit will increase the security of the device since unauthorized users can disrupt your entire network through unintentional and intentional interventions
  • Always remember to upgrade the firmware to the latest version.
  • Avoid generic administrator account names such as “admin”. If an attacker can guess your admin name they will only need to determine your password.
  • Do not allow administration access on the external interface and use internal access methods such as IPsec VPN or SSL VPN. If you have to have remote access and cannot use IPsec or SSL VPN, only allow HTTPS and SSH and use secure access methods such as trusted hosts and Two-factor authentication.
  • Make sure to establish trusted hosts for administrators to limit what computers an administrator can log in to the unit from. Identifying a trusted house will make the unit only accept the administrator’s login from the configured IP address or subnet.
  • Change the default administrative port to a non-standard port.
  • Register with support services to activate the warranty on your device.
  • To avoid the possibility of an administrator walking away from the management computer and leaving it exposed, you can add an automatic idle time-out. If the web-based manager is not used for a specified amount of time, the unit automatically logs the administrator out.
  • Enable automatic clock synchronization to facilitate auditing and consistency between expiry dates used in expiration of certificates and security protocols.
  • Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if “p4ssw0rd” is used as a password, it can be cracked. Create a safer password policy that administrators must follow to facilitate a safer connection.
  • Set a lockout duration for when an administrator enters an incorrect password a specified number of times, using the CLI command set admin-lockout-duration and set admin-lockout-threshold under config system global.

General security tuning

The following is a general list of techniques and strategies to improve the security of your FortiMail device.

  • Install the FortiMail unit in a secure location, such as a locked room with restricted access. Prohibiting access to the unit will increase the security of the device since unauthorized users can disrupt your entire network through unintentional and intentional interventions
  • Always remember to upgrade the firmware to the latest version.
  • Avoid generic administrator account names such as “admin”. If an attacker can guess your admin name they will only need to determine your password.
  • Do not allow administration access on the external interface and use internal access methods such as IPsec VPN or SSL VPN. If you have to have remote access and cannot use IPsec or SSL VPN, only allow HTTPS and SSH and use secure access methods such as trusted hosts and Two-factor authentication.
  • Make sure to establish trusted hosts for administrators to limit what computers an administrator can log in to the unit from. Identifying a trusted house will make the unit only accept the administrator’s login from the configured IP address or subnet.
  • Change the default administrative port to a non-standard port.
  • Register with support services to activate the warranty on your device.
  • To avoid the possibility of an administrator walking away from the management computer and leaving it exposed, you can add an automatic idle time-out. If the web-based manager is not used for a specified amount of time, the unit automatically logs the administrator out.
  • Enable automatic clock synchronization to facilitate auditing and consistency between expiry dates used in expiration of certificates and security protocols.
  • Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if “p4ssw0rd” is used as a password, it can be cracked. Create a safer password policy that administrators must follow to facilitate a safer connection.
  • Set a lockout duration for when an administrator enters an incorrect password a specified number of times, using the CLI command set admin-lockout-duration and set admin-lockout-threshold under config system global.