Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Best Practices

    Home FortiProxy 7.6.0 Best Practices
    7.6.0
    7.6.0
    7.4.0
    7.2.0

    User authentication for management network access

    User authentication for management network access

    Controlling who can access the FortiProxy, and what permission they have, is integral to the security of your network.

    Who can access the FortiProxy

    Users can log in to the FortiProxy by authenticating locally with the FortiProxy, or with a remote access server that is integrated with the FortiProxy, such as LDAP or RADIUS servers.

    For local accounts on the FortiProxy, define a password policy to ensure a minimum complexity level.

    Remote authentication servers enforce their own password policies. They also provide more configuration options. For example, you can use pre-defined security groups to enable access to a group of users. If an administrator's access needs to be removed, when their account is disabled in the remote access server, they are no longer able to log in to the FortiProxy.

    Do not use shared accounts to access the FortiProxy. Shared accounts are more likely to be compromised, are more difficult to maintain as password updates must be disseminated to all users, and make it impossible to audit access to the FortiProxy.

    In addition to accounts for GUI and CLI administration, the FortiProxy can be managed with API calls by API users who are required to generate authorization tokens for REST API messages. If the FortiProxy is managed by running scripts over SSH, authenticate users using certificates to avoid storing and maintaining passwords in the application that is making the SSH connection.

    What can administrators access

    The features that an administrator can access should be limited to the scope of that administrator's work to reduce possible attack vectors. The access profile tied to the user account defines the areas on the FortiProxy that the administrator can access, and what they can do in those areas. The list of users with access should be audited regularly to ensure that it is current.

    How can users access the FortiProxy

    Limit access to the FortiProxy to a management interface on a management network. Trusted hosts can also be used to specify the IP addresses or subnets that can log in to the FortiProxy.

    When authenticating to the FortiProxy, implement multi-factor authentication (MFA). This makes it significantly more difficult for an attacker to gain access to the FortiProxy.

    Previous
    Next

    User authentication for management network access

    User authentication for management network access

    Controlling who can access the FortiProxy, and what permission they have, is integral to the security of your network.

    Who can access the FortiProxy

    Users can log in to the FortiProxy by authenticating locally with the FortiProxy, or with a remote access server that is integrated with the FortiProxy, such as LDAP or RADIUS servers.

    For local accounts on the FortiProxy, define a password policy to ensure a minimum complexity level.

    Remote authentication servers enforce their own password policies. They also provide more configuration options. For example, you can use pre-defined security groups to enable access to a group of users. If an administrator's access needs to be removed, when their account is disabled in the remote access server, they are no longer able to log in to the FortiProxy.

    Do not use shared accounts to access the FortiProxy. Shared accounts are more likely to be compromised, are more difficult to maintain as password updates must be disseminated to all users, and make it impossible to audit access to the FortiProxy.

    In addition to accounts for GUI and CLI administration, the FortiProxy can be managed with API calls by API users who are required to generate authorization tokens for REST API messages. If the FortiProxy is managed by running scripts over SSH, authenticate users using certificates to avoid storing and maintaining passwords in the application that is making the SSH connection.

    What can administrators access

    The features that an administrator can access should be limited to the scope of that administrator's work to reduce possible attack vectors. The access profile tied to the user account defines the areas on the FortiProxy that the administrator can access, and what they can do in those areas. The list of users with access should be audited regularly to ensure that it is current.

    How can users access the FortiProxy

    Limit access to the FortiProxy to a management interface on a management network. Trusted hosts can also be used to specify the IP addresses or subnets that can log in to the FortiProxy.

    When authenticating to the FortiProxy, implement multi-factor authentication (MFA). This makes it significantly more difficult for an attacker to gain access to the FortiProxy.

    Previous
    Next