Chapter 11 – Hardening

Change the default administrative port to a non-standard port

Administration Settings under System > Settings or config system global in the CLI, enable you to change the default port configurations for administrative connections to the FortiGate unit for added security. When connecting to the FortiGate unit when the port has changed, the port must be included. For example, if you are connecting to the FortiGate unit using HTTPS over port 8081, the URL would be https://192.168.1.99:8081

If you make a change to the default port number for HTTP, HTTPS, Telnet, or SSH, ensure that the port number is not used for other services.

 

Modify the device name

The name of the device needs to be modified in order for it to be perfectly identified. A label shall also be placed with the device name. Finally it shall be necessary to add an entry in the DNS with the name of the unit and its IP address.

 

Register with support services

In order to activate the services and warranty of the device, it is necessary to register the serial number of the device in the manufacturer’s website. This task shall always be performed with the same account under which all units have been registered, in order to obtain centralized management.

 

Maintain short login timeouts

To avoid the possibility of an administrator walking away from the management computer and leaving it exposed to unauthorized personnel, you can add an idle time-out. That is, if the web-based manager is not used for a specified amount of time, the FortiGate unit will automatically log the administrator out. To continue their work, they must log in again.

The time-out can be set as high as 480 minutes, or eight hours, although this is not recommend.

To set the idle time out, go to System > Settings and enter the amount of time for the Idle Timeout. A best practice is to keep the default of 5 min.

When logging into the console using SSH, the default time of inactivity to successfully log into the FortiGate unit is 120 seconds (2 minutes). You can configure the time to be shorter by using the CLI to change the length of time the command prompt remains idle before the FortiGate unit will log the administrator out. The range can be between 10 and 3600 seconds. To set the logout time enter the following CLI commands:

config system global

set admin-ssh-grace-time <number_of_seconds>

end

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.