Chapter 2 – Getting Started

Security precautions

One potential point of a security breach is at the management computer. Administrators who leave their workstations for a prolonged amount of time while staying logged into the GUI or CLI leave the firewall open to malicious intent.

 

Preventing unwanted log in attempts

Setting trusted hosts for an administrator limits what computers an administrator can log in from, causing the FortiGate to only accept the administrator’s log in from the configured IP address. Any attempt to log in with the same credentials from any other IP address will be dropped.

Trusted hosts are configured when adding a new administrator by going to System > Administrators in the GUI

or config system admin in the CLI.

To ensure the administrator has access from different locations, you can enter up to ten IP addresses, though ideally this should be kept to a minimum. For higher security, use an IP address with a net mask of

255.255.255.255, and enter an IP address (non-zero) in each of the three default trusted host fields. Also ensure all entries contain actual IP addresses, not the default 0.0.0.0.

The trusted hosts apply to the GUI, ping, SNMP, and the CLI when accessed through Telnet or SSH. CLI access through the console port is not affected.

 

Prevent concurrent administrator sessions

Concurrent administrator sessions occur when multiple people concurrently access the FortiGate using the same administrator account. This is allowed by default. If you wish to prevent this behavior, use the following CLI command:.

config system global

set admin-concurrent disable end

 

On 2U FortiGates, this option is also available in the GUI by going to System > Settings and disable Allow multiple concurrent sessions for each administrator.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.