Change the admin account name and limit access to this account
The default super_admin administrator account, admin, is a well known administrator name so if this account is available it could be easier for attackers to access the FortiGate unit because they know they can log in with this name, only having to determine the password. You can improve security by changing this name to one more difficult for an attacker to guess.
To do this, create a new administrator account with the super_admin admin profile and log in as that administrator. Then go to System > Administrators and edit the admin administrator and change the Administrator name.
Once the account has been renamed you could delete the super_admin account that you just added. Consider also only using the super-admin account for adding or changing administrators. The less this account is used to less likely that it could be compromised. You could also store the account name and password for this account in a secure location in case for some reason the account name or password is forgotten.
Only allow administrative access to the external interface when needed
When possible, don’t allow administration access on the external interface and use internal access methods such as IPsec VPN or SSL VPN.
To disable administrative access on the external interface, go to Network > Interfaces, edit the external interface and disable HTTPS, PING, HTTP, SSH, and TELNET under Administrative Access.
This can also be done with CLI using following commands:
config system interface
edit <external_interface_name>
unset allowaccess end
Please note that this will disable all services on the external interface including CAPWAP, FMG-Access, and SNMP. If you need some of these services enabled on your external interface, for example CAPWAP and FMG- Access to ensure connectivity between FortiGate unit and respectively FortiAP and FortiManager, then you need to use following CLI command:
config system interface
edit <external_interface_name>
set allowaccess capwap fgfm end