Basic administration – FortiOS 6.2

Basic administration

This section contains information about basic FortiGate administration that you can do after you installing the unit in your network.

Registration

In order to have full access to Fortinet Support and FortiGuard Services, you must register your FortiGate.

Registering your FortiGate:

  1. Go to the Dashboard and locate the Licenses
  2. Click on FortiCare Support to display a pop-up window and Register.
  3. In the pop-up window, either use an existing Fortinet Support account or create a new one. Select your Country and Reseller.
  4. Select OK.

FortiGate platforms don’t impose any limitations on the number or type of customers, users, devices, IP addresses, or number of VPN clients being served by the platform. Such factors are limited solely by the hardware capacity of each given model.

System settings

There are several system settings that should be configured once your FortiGate is installed:

  • Default administrator password on page 46
  • Settings on page 46 l Changing the host name on page 46 l System time on page 46 l Administration settings on page 47 l Password policy on page 48 l View settings on page 48 l Administrator password retries and lockout time on page 48

Default administrator password

By default, your FortiGate has an administrator account set up with the username admin and no password. In order to prevent unauthorized access to the FortiGate, it is highly recommended that you add a password to this account.

To change the default password:

  1. Go to System > Administrators.
  2. Edit the admin
  3. Select Change Password.
  4. Enter the New Password and re-enter the password for confirmation.
  5. Select OK.

It is also recommended to change the user name of this account; however, since you cannot change the user name of an account that is currently in use, a second administrator account will need to be created in order to do this.

Settings

Settings can be accessed by going to System > Settings. On this page, you can change the Host name, set the system time and identify time zone in System Time, configure HTTP, HTTPS, SSH, and Telnet ports as well as idle timeout in Administration Settings, designate the Password Policy, and manage display options and designate inspection mode in View Settings.

Changing the host name

The host name of your FortiGate appears in the Hostname row in the System Information widget on the Dashboard. The host name also appears at the CLI prompt when you are logged in to the CLI, and as the SNMP system name.

To change the host name on the FortiGate

Go to System > Settings and type in the new name in the Host name row. The only administrators that can change a

FortiGate’s host name are administrators whose admin profiles permit system configuration write access. If the FortiGate is part of an HA cluster, you should use a unique host name to distinguish the FortiGate from others in the cluster.

System time

For effective scheduling and logging, the FortiGate system time and date should be accurate. You can either manually set the system time and date or configure the FortiGate to automatically synchronize with a Network Time Protocol (NTP) server.

NTP enables you to keep the FortiGate time synchronized with other network systems. By enabling NTP on the FortiGate, FortiOS will check with the NTP server you select at the configured intervals. This will also ensure that logs and other time-sensitive settings on the FortiGate are correct.

The FortiGate maintains its internal clock using a built-in battery. At start up, the time reported by the FortiGate will indicate the hardware clock time, which may not be accurate. When using NTP, the system time might change after the FortiGate has successfully obtained the time from a configured NTP server.

To set the date and time

  1. Go to the System > Settings.
  2. Under System Time, select your Time Zone by using the drop-down menu.
  3. Set Time by either selecting Synchronize with NTP Server or Manual settings. If you select synchronization, you can either use the default FortiGuard servers or specify a custom server. You can also set the Sync interval.
  4. If you use an NTP server, you can identify a specific interface for this self-originating traffic by enabling Setup device as local NTP server.
  5. Select Apply.

Administration settings

In order to improve security, you can change the default port configurations for administrative connections to the FortiGate. When connecting to the FortiGate when the port has changed, the port must be included, such as https://<ip_address>:<port>. For example, if you are connecting to the FortiGate using port 99, the URL would be https://192.168.1.99:99.

To configure the port settings:

  1. Go to System > Settings.
  2. Under Administration Settings, change the port numbers for HTTP, HTTPS, SSH, and/or Telnet as needed. You can also select Redirect to HTTPS in order to avoid HTTP being used for the administrators.
  3. Select Apply.

When you change the default port number for HTTP, HTTPS, SSH, or Telnet, ensure that the port number is unique. If a conflict exists with a particular port, a warning message will appear.

By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone from using the GUI if the management PC is left unattended.

To change the idle timeout

  1. Go to System > Settings.
  2. In the Administration Settings section, enter the time in minutes in the Idle timeout
  3. Select Apply.

Password policy

The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password including:

  • minimum length between 8 and 64 characters.
  • if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters. l if the password must contain numbers (1, 2, 3). l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )). l where the password applies (admin or IPsec or both). l the duration of the password before a new one must be specified.

To create a password policy – GUI

  1. Go to System > Settings.
  2. Configure Password Policy settings as required.
  3. Click Apply.

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.

View settings

Three settings can change the presentation of information in the GUI: Language, Lines per page, and Theme.

To change the language, go to System > Settings. Select the language you want from the Language drop-down list: English (the default), French, Spanish, Portuguese, Japanese, Traditional Chinese, Simplified Chinese, or Korean. For best results, you should select the language that is used by the management computer.

To change the number of lines per page displayed in the GUI tables, set Lines per page to a value between 20 and 1,000. The default is 50 lines per page.

Five color themes are currently available: Green (the default), Red, Blue, Melongene, and Mariner. To change your theme, select the color from the Theme drop-down list.

This is also where you select either Flow-based or Proxy Inspection Mode . If you select Flow-based mode, then you need to specify if it is NGFW Profile-based or NGFW Policy-based inspection.

Administrator password retries and lockout time

By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three attempts to log into their account before locking the account for a set amount of time.

Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to enter a password again (admin-lockout-duration) can be configured within the CLI.

To configure the lockout options:

config system global set admin-lockout-threshold <failed_attempts> set admin-lockout-duration <seconds> end

The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The adminlockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.

Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the FortiGate.

Example:

To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five minute duration before the administrator can try to log in again, enter the commands:

config system global set admin-lockout-threshold 1

Passwords

Using secure passwords are vital for preventing unauthorized access to your FortiGate. When changing the password, consider the following to ensure better security:

  • Do not make passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.
  • Use numbers in place of letters, for example, passw0rd. l Administrator passwords can be up to 64 characters. l Include a mixture of letters, numbers, and upper and lower case. l Use multiple words together, or possibly even a sentence, for example keytothehighway. l Use a password generator.
  • Change the password regularly and always make the new password unique and not a variation of the existing password, such as changing from password to password1.
  • Make note of the password and store it in a safe place away from the management computer, in case you forget it or ensure that at least two people know the password in the event that one person becomes ill, is away on vacation, or leaves the company. Alternatively, have two different admin logins.

Downgrades will typically maintain the administrator password. If you need to downgrade to FortiOS 4.3, remove the password before the downgrade, then log in after the downgrade and re-configure the password.

Password policy

The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password including:

  • minimum length between 8 and 64 characters.
  • if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters. l if the password must contain numbers (1, 2, 3). l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )). l where the password applies (admin or IPsec or both). l the duration of the password before a new one must be specified.

To create a password policy – GUI

  1. Go to System > Settings.
  2. Configure Password Policy settings as required.
  3. Click Apply.

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup.

We also recommend that you backup the configuration after any changes are made, to ensure you have the most current configuration available. Also, backup the configuration before any upgrades of the FortiGate’s firmware. Should anything happen to the configuration during the upgrade, you can easily restore the saved configuration.

Always backup the configuration and store it on the management computer or off-site. You have the option to save the configuration file to various locations including the local PC, USB key, FTP, and TFTP server. The last two are configurable through the CLI only.

If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you are using FortiManager or FortiCloud, full backups are performed and the option to backup individual VDOMs will not appear.

You can also backup and restore your configuration using Secure File Copy (SCP). See How to download/upload a FortiGate configuration file using secure file copy (SCP).

You enable SCP support using the following command:

config system global set admin-scp enable

end

For more information about this command and about SCP support, see config system global.

Backing up the configuration using the GUI

  1. Click on admin in the upper right-hand corner of the screen and select Configuration > Backup.
  2. Direct the backup to your Local PC or to a USB Disk.

The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can also backup to the FortiManager using the CLI.

  1. If VDOMs are enabled, indicate whether the scope of the backup is for the entire FortiGate configuration (Global) or only a specific VDOM configuration (VDOM).
  2. If backing up a VDOM configuration, select the VDOM name from the list.
  3. Select Encryption.

Encryption must be enabled on the backup file to back up VPN certificates.

  1. Enter a password and enter it again to confirm it. You will need this password to restore the file.
  2. Select OK.
  3. The web browser will prompt you for a location to save the configuration file. The configuration file will have a .conf extension.

Backing up the configuration using the CLI

Use one of the following commands:

execute backup config management-station <comment> or:

execute backup config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute backup config tftp <backup_filename> <tftp_servers> <password> Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom edit <vdom_name>

Backup and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate before you enter the command.

To back up the local certificates:

Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip> where:

l <cert_name> is the name of the server certificate. l <filename> is a name for the output file. l <tftp_ip> is the IP address assigned to the TFTP server host interface.

To restore the local certificates – GUI:

  1. Move the output file from the TFTP server location to the management computer.
  2. Go to System > Certificates and select Import.
  3. Select the appropriate type of certificate from the dropdown menu and fill in any required fields.
  4. Select Upload. Browse to the location on the management computer where the exported file has been saved, select the file and select Open.
  5. If required, enter the Password needed to upload the exported file.
  6. Select OK.

To restore the local certificates – CLI:

Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>

Restoring a configuration

Should you need to restore a configuration file, use the following steps:

To restore the FortiGate configuration – GUI:

  1. Click on admin in the upper right-hand corner of the screen and select Configuration > Restore.
  2. Identify the source of the configuration file to be restored : your Local PC or a USB Disk.

The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

  1. Enter the path and file name of the configuration file, or select Browse to locate the file.
  2. Enter a password if required.
  3. Select Restore.

To restore the FortiGate configuration – CLI:

execute restore config management-station normal 0 or:

execute restore config usb <filename> [<password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute restore config tftp <backup_filename> <tftp_server> <password>

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message Reason and Solution
Configuration file error This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware.

Solution: Upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.

Error message Reason and Solution
Invalid password When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file.

Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.

The central management server can either be a FortiManager unit or FortiCloud.

If central management is not configured on your FortiGate unit, a message appears instructing you to either:

l Enable central management, or l obtain a valid license.

When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration revisions are viewed by clicking on admin in the upper right-hand corner of the screen and selecting Configuration > Revisions.

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration.

You can reset using the CLI by entering the command:

execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration. Use the following command: execute factoryreset2

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.