Segregated administrative roles
To minimize the effect of an administrator causing errors to the FortiGate configuration and possibly jeopardizing the network, create individual administrative roles where none of the administrators have super_admin permissions. For example, one account is used solely to create security policies, another for users and groups, another for VPN, and so on.
SSH log in time out
You can take up to 120 seconds to log into the FortiGate when using SSH. You can use the following CLI
command to reduce this time to enhance security:
config system global
set admin-ssh-grace-time <number_of_seconds>
end
The range can be between 10 and 3600 seconds.
HTTPS redirect
When configuring the Administration Settings (found at System > Settings), you can also enable HTTP to Redirect to HTTPS. When enabled, if a administrator tries to connect to an interface using HTTP, this traffic will be automatically redirected to use HTTPS instead for a more secure connection.
Log in/out warning message
For administrators logging in and out of the FortiGate, you can include a log in disclaimer. This disclaimer provides a statement that must be accepted or declined where corporations are governed by strict usage policies for forensics and legal reasons.
This disclaimer can appear either before the log in screen loads (pre-login banner) or after an administrator enters their credentials (post-login-banner). The disclaimer is enabled through the CLI:
config system global
set pre-login-banner enable set post-login-banner enable
end
The banner is a default message that you can customize by going to System > Replacement Messages. Select Extended View to see the Admin category and messages.
You can disable your FortiGate’s console interface to prevent any unwanted login attempts:
config system console set login disable
end
Disable other interfaces
If any of the interfaces on the FortiGate are not being used, disable traffic on that interface. This avoids someone plugging in network cables and potentially causing network bypass or loop issues.
To disable an interface – GUI
1. Go to Network > Interfaces.
2. Select the interface from the list and select Edit.
3. For Administrative Access, select Down.
4. Select OK.
To disable an interface – CLI
config system interface edit <inerface_name>
set status down
end
Passwords
Using secure passwords are vital for preventing unauthorized access to your FortiGate. When changing the password, consider the following to ensure better security:
- Do not make passwords that are obvious, such as the company name, administrator names, or other obvious word or phrase.
- Use numbers in place of letters, for example, passw0rd. Alternatively, spell words with extra letters, for example, password.
- Administrator passwords can be up to 64 characters.
- Include a mixture of letters, numbers, and upper and lower case.
- Use multiple words together, or possibly even a sentence, for example keytothehighway.
- Use a password generator.
- Change the password regularly and always make the new password unique and not a variation of the existing password, such as changing from password to password1.
- Write the password down and store it in a safe place away from the management computer, in case you forget it or ensure that at least two people know the password in the event that one person becomes ill, is away on vacation or leaves the company. Alternatively, have two different admin logins.
Password policy
The FortiGate includes the ability to create a password policy for administrators. With this policy, you can enforce regular changes and specific criteria for a password including:
- minimum length between 8 and 64 characters.
- if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
- if the password must contain numbers (1, 2, 3).
- if the password must contain non-alphanumeric characters (!, @, #, $, %, ^, &, *, ().
- where the password applies (admin or IPsec or both).
- the duration of the password before a new one must be specified.
To create a password policy – GUI
1. Go to System > Settings.
2. Select Enable Password Policy and configure the settings as required.
If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.
Lost Passwords
If an administrator password has been lost, refer to the SysAdmin Note: Resetting a lost admin password.