Administrator password retries and lockout time
By default, the FortiGate includes set number of three password retries, allowing the administrator a maximum of three attempts to log into their account before they are locked out for a set amount of time (by default, 60
The number of attempts can be set to an alternate value, as well as the default wait time before the administrator can try to enter a password again. You can also change this to further sway would-be hackers. Both settings are must be configured with the CLI
To configure the lockout options:
config system global
set admin-lockout-threshold <failed_attempts>
set admin-lockout-duration <seconds>
end
For example, to set the lockout threshold to one attempt and a five minute duration before the administrator can try again to log in enter the commands”
config system global
set admin-lockout-threshold 1 set admin-lockout-duration 300
end
Administrative port settings
In order to improve security, you can change the default port configurations for administrative connections to the FortiGate. When connecting to the FortiGate when the port has changed, the port must be included, such as https://<ip_address>:<port>. For example, if you are connecting to the FortiGate using port 99, the url would be https://192.168.1.99:99.
To configure the lockout options:
1. Go to System > Settings.
2. Under Administrative Settings, change the port numbers for HTTP, HTTPS, Telnet, and/or SSH as needed.
You can also select Redirect to HTTPS in order to avoid HTTP being used for the administrators.
When you change to the default port number for HTTP, HTTPS, Telnet, or SSH, ensure that the port number is unique. If a conflict exists with a particular port, a warning message will appear.
Changing the host name
The host name of your FortiGate appears in the Host Name row, in the System Information widget. The host name also appears at the CLI prompt when you are logged in to the CLI and as the SNMP system name.
To change the host name on the FortiGate, in the System Information widget, select Change in the Host Name row. The only administrators that can change a FortiGate’s host name are administrators whose admin profiles permit system configuration write access. If the FortiGate is part of an HA cluster, you should use a unique host name to distinguish the FortiGate from others in the cluster.
Administrators
By default, the FortiGate has a super administrator account, called admin by default, which cannot be deleted. Additional administrators can be added for various functions, each with a unique user name, password, and set of access privileges.
The following tasks can be done to add and secure administrative access to a FortiGate:
- Administrator profiles
- Adding a local administrator
- LDAP authentication for administrators
- Other methods of authentication
- Monitoring administrators
- Management access
- Security precautions
Administrator profiles
Administer profiles define what the administrator can do when logged into the FortiGate. When you set up an administrator account, you also assign an administrator profile, which dictates what the administrator will see. Depending on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much, or as little, as required.
super_admin profile
This profile has access to all components of FortiOS, including the ability to add and remove other system administrators. For some administrative functions, such as backing up and restoring the configuration using SCP, super_admin access is required. The super_admin profile cannot be deleted or modified, to ensure that there is always a method to administer the FortiGate.
The super_admin profile is used by the default admin account. It is recommended to add a password and rename this account once you have set up your FortiGate. In order to rename the default account, a second admin account is required. For more information, see “Administrators” on page 220.
Creating profiles
To configure administrator profiles go to System > Admin Profiles.
On the New Admin Profile page, you define the components of FortiOS that will be available to view and/or edit. For example,you can configure a profile so that the administrator can only access the Firewall Configuration, which includes firewall policies, addresses, services, schedules, packet capture, and some other parts of the FortiGate configuration. Any other aspects of the FortiGate configuration, including VPNs and security profiles, will be hidden from this administrator.