Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Best Practices

    Home FortiManager 7.6.0 Best Practices
    7.6.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0
    6.0.0
    5.6.0

    Security Best Practices

    Security Best Practices

    For stronger security, implement the following security best practices.

    Administrator access best practices

    • Enable password policy and set requirements for the administrator password. The password policy lets you specify the administrator's password minimum length, type of characters it must contain, and the number of days to password expiry.
    • Use CLI commands to configure the administrator's password lockout and retry attempts.

      For example, to set the lockout duration to two attempts and set a two minute duration before the administrator can log in again, enter the following CLI commands:

      config system global

      set admin-lockout-threshold 2

      set admin-lockout-duration 120

      end

    • Set a lower idle timeout so that unattended workstations are logged out.
    • Use multi-factor authentication authentication for administrators. For more information, see the FortiAuthenticator Administration Guide in the Fortinet Document Library.
    • Limit administrator access. For example, configure trusted hosts and allowaccess. See Restricting GUI access by trusted hosts.

    Encryption best practices

    Set a strong encryption level. Use the SSL protocol version (TLS version) that meets PCI compliance or your organization’s security requirements. For example:

    config system global

    set enc-algorithm high

    set fgfm-ssl-protocol tlsv1.2

    set oftp-ssl-protocol tlsv1.2

    set ssl-protocol tlsv1.2

    set webservice-proto tlsv1.2

    set ssl-low-encryption disable

    end

    config fmupdate fds-setting

    set fds-ssl-protocol tlsv1.2

    end

    The enc-algorithm setting allows you to specify the security levels for cipher suites.

    • set enc-algorithm low uses all OpenSSL ciphers.

    • set enc-algorithm medium uses high and medium OpenSSL ciphers.

    • set enc-algorithm high (default) uses only high OpenSSL ciphers.

    Other security best practices

    • Disable unused interfaces.

    • Upgrade firmware to the latest version.

    • Install physical devices in a restricted area.

    • Place the FortiManager behind a firewall, such as a FortiGate, to limit attempts to access the FortiManager device.

      Note

      When FortiManager is behind a FortiGate, AV and IPS features can be enabled on the FortiGate to further protect FortiManager from malware or intrusion attacks. See the FortiGate Administration Guide.
      note icon

      If the firewall in front of the FortiManager is NATing the traffic, configure the FortiManager with the dedicated public IP (see the following Fortinet Community article). This ensures that FortiGate devices are able to initiate communications (FGFM tunnels) to the FortiManager.
      note icon

      If the public FortiGate (or internal FortiGate behind a FortiGate Firewall) needs to access this FortiManager over port 541, you can use VPN between FortiGates to access FortiManager so the FortiGate to FortiManager connection still uses internal subnet IPs.

      If port TCP/541 of FortiManager is exposed publicly, it is recommended to enable fgfm-deny-unknown. See Denying unknown connections to FortiManager.
    • Set up NTP. For example:

      config system ntp

      set status enable

      set sync_interval 60

      config ntpserver

      edit 1

      set server {<address_ipv4> | <fqdn_str>}

      end

      end

      end

    • For audit purposes:
      • Use named accounts wherever possible.
      • Send logs to a central log destination, like FortiAnalyzer.
    Do not lose the administrator log in information as there is no password recovery mechanism in FortiManager 5.4.0 and later.

    Denying unknown connections to FortiManager

    Deny unknown FGFM connections

    If the FortiManager is on a public network, it is recommended that you enable the fgfm-deny-unknown command in the CLI. When this command is enabled, the FortiManager will only allow FGFM connections from Device Manager managed devices. FortiManager will not add any devices with unknown serial numbers to the unregistered devices list.

    When this setting is enabled, new devices added to FortiManager need to be discovered from FortiManager, or you can perform zero-touch provisioning by adding a model device for the FortiGate which includes the device serial number.

    Enabling this setting blocks zero-touch provisioning for model devices configured with a pre-shared key, and will only accept model devices configured with a serial number.

    To deny unknown connections over FGFM:

    config system global

    (global)# set fgfm-deny-unknown enable

    (global)# end

    Note

    Devices that are already in the Unauthorized Devices list will not be removed when this setting is enabled.

    Use a custom certificate for the FGFM connection

    You can further secure the FGFM connection by using the following command to enforce the use of a custom certificate used for the FGFM connection and prevent FortiManager from using the default certificate. The custom certificate must be installed on all connecting FortiGates. Connections will be denied when the FortiGate does not have the custom certificate.

    config system global

    set fgfm-ca-cert

    set fgfm-cert-exclusive enable

    end

    Deny unauthorized devices connecting using syslog

    When FortiAnalyzer features are enabled, you can execute the following commands to block unknown connections via syslog:

    To deny unknown connections to syslog:

    config system global

    set detect-unregistered-log-device disable

    end

    Deny unauthorized devices connecting to the FortiManager FDS

    You can block unauthorized devices obtaining FortiGate update and web filtering services from the FortiManager acting as FDS.

    To deny unknown connections to FDS:

    conf fmupdate fds-setting

    set unreg-dev-option ignore

    end

    Previous
    Next

    Security Best Practices

    Security Best Practices

    For stronger security, implement the following security best practices.

    Administrator access best practices

    • Enable password policy and set requirements for the administrator password. The password policy lets you specify the administrator's password minimum length, type of characters it must contain, and the number of days to password expiry.
    • Use CLI commands to configure the administrator's password lockout and retry attempts.

      For example, to set the lockout duration to two attempts and set a two minute duration before the administrator can log in again, enter the following CLI commands:

      config system global

      set admin-lockout-threshold 2

      set admin-lockout-duration 120

      end

    • Set a lower idle timeout so that unattended workstations are logged out.
    • Use multi-factor authentication authentication for administrators. For more information, see the FortiAuthenticator Administration Guide in the Fortinet Document Library.
    • Limit administrator access. For example, configure trusted hosts and allowaccess. See Restricting GUI access by trusted hosts.

    Encryption best practices

    Set a strong encryption level. Use the SSL protocol version (TLS version) that meets PCI compliance or your organization’s security requirements. For example:

    config system global

    set enc-algorithm high

    set fgfm-ssl-protocol tlsv1.2

    set oftp-ssl-protocol tlsv1.2

    set ssl-protocol tlsv1.2

    set webservice-proto tlsv1.2

    set ssl-low-encryption disable

    end

    config fmupdate fds-setting

    set fds-ssl-protocol tlsv1.2

    end

    The enc-algorithm setting allows you to specify the security levels for cipher suites.

    • set enc-algorithm low uses all OpenSSL ciphers.

    • set enc-algorithm medium uses high and medium OpenSSL ciphers.

    • set enc-algorithm high (default) uses only high OpenSSL ciphers.

    Other security best practices

    • Disable unused interfaces.

    • Upgrade firmware to the latest version.

    • Install physical devices in a restricted area.

    • Place the FortiManager behind a firewall, such as a FortiGate, to limit attempts to access the FortiManager device.

      Note

      When FortiManager is behind a FortiGate, AV and IPS features can be enabled on the FortiGate to further protect FortiManager from malware or intrusion attacks. See the FortiGate Administration Guide.
      note icon

      If the firewall in front of the FortiManager is NATing the traffic, configure the FortiManager with the dedicated public IP (see the following Fortinet Community article). This ensures that FortiGate devices are able to initiate communications (FGFM tunnels) to the FortiManager.
      note icon

      If the public FortiGate (or internal FortiGate behind a FortiGate Firewall) needs to access this FortiManager over port 541, you can use VPN between FortiGates to access FortiManager so the FortiGate to FortiManager connection still uses internal subnet IPs.

      If port TCP/541 of FortiManager is exposed publicly, it is recommended to enable fgfm-deny-unknown. See Denying unknown connections to FortiManager.
    • Set up NTP. For example:

      config system ntp

      set status enable

      set sync_interval 60

      config ntpserver

      edit 1

      set server {<address_ipv4> | <fqdn_str>}

      end

      end

      end

    • For audit purposes:
      • Use named accounts wherever possible.
      • Send logs to a central log destination, like FortiAnalyzer.
    Do not lose the administrator log in information as there is no password recovery mechanism in FortiManager 5.4.0 and later.

    Denying unknown connections to FortiManager

    Deny unknown FGFM connections

    If the FortiManager is on a public network, it is recommended that you enable the fgfm-deny-unknown command in the CLI. When this command is enabled, the FortiManager will only allow FGFM connections from Device Manager managed devices. FortiManager will not add any devices with unknown serial numbers to the unregistered devices list.

    When this setting is enabled, new devices added to FortiManager need to be discovered from FortiManager, or you can perform zero-touch provisioning by adding a model device for the FortiGate which includes the device serial number.

    Enabling this setting blocks zero-touch provisioning for model devices configured with a pre-shared key, and will only accept model devices configured with a serial number.

    To deny unknown connections over FGFM:

    config system global

    (global)# set fgfm-deny-unknown enable

    (global)# end

    Note

    Devices that are already in the Unauthorized Devices list will not be removed when this setting is enabled.

    Use a custom certificate for the FGFM connection

    You can further secure the FGFM connection by using the following command to enforce the use of a custom certificate used for the FGFM connection and prevent FortiManager from using the default certificate. The custom certificate must be installed on all connecting FortiGates. Connections will be denied when the FortiGate does not have the custom certificate.

    config system global

    set fgfm-ca-cert

    set fgfm-cert-exclusive enable

    end

    Deny unauthorized devices connecting using syslog

    When FortiAnalyzer features are enabled, you can execute the following commands to block unknown connections via syslog:

    To deny unknown connections to syslog:

    config system global

    set detect-unregistered-log-device disable

    end

    Deny unauthorized devices connecting to the FortiManager FDS

    You can block unauthorized devices obtaining FortiGate update and web filtering services from the FortiManager acting as FDS.

    To deny unknown connections to FDS:

    conf fmupdate fds-setting

    set unreg-dev-option ignore

    end

    Previous
    Next