Security Best Practices

The following recommendations will help you increase your security level.

Security Access Protocols

Graphical Interface

To improve security, disable HTTP or Telnet for administrative access to the FortiGate. We recommend enabling only HTTPS and SSH access.

You can change these settings for individual interfaces on the Network → Interfaces tab.

Console Interface

To change through the CLI, enter the following:

config system interface
edit <interface-name>
set allowaccess https ssh
end

Redirecting to HTTPS

Graphical Interface

Go to System → Settings → Administrator Settings and enable Redirect to HTTPS to ensure that all HTTP connection attempts are redirected to HTTPS.

Console Interface

To change through the CLI, enter the following:

config system global
set admin-https-redirect enable
end

Changing the Default Access Ports

Graphical Interface

Change the standard ports for the admin access via HTTPS and SSH to non-standard.

Before changing, make sure that these ports are not used for other services.

Go to System → Settings → Administrator Settings and change the HTTPS and SSH ports.

Console Interface

To change through the CLI, enter the following:

config system global
set admin-port 48008
set admin-sport 48344
set admin-ssh-port 48022
set admin-telnet-port 48032
end

Maintaining Short Login Timeouts

Graphical Interface

Set the idle timeout to a short time to avoid the possibility of an administrator leaving their management computer exposed to unauthorized personnel. To set the administrator idle timeout, go to System → Settings and enter the amount of time for the idle timeout. The best practice is to keep the default time of 5 minutes.

Console Interface

To change through the CLI, enter the following:

config system global
set admintimeout 5
end

You can use the following command to adjust the grace time permitted between making an SSH connection and authenticating. The range can be between 10 and 3600 seconds, the default is 120 seconds. For example, you can set the time to 30 seconds:

config system global
set admin-ssh-grace-time 30
end

Configuring Logins from Trusted Hosts

Graphical Interface

To allow logins only from trusted hosts:

  1. Go to System → Administrators.
  2. Edit the administrator account, enable Restrict login to trusted hosts.
  3. Add trusted host IP addresses or networks.

Console Interface

To change through the CLI, enter the following:

config system admin
edit admin
set trustedhost1 <IP/MASK>
end

Configuring Two-Factor Authentication

Graphical Interface

Configure two-factor administrator authentication for improved security. FortiOS supports FortiToken and FortiToken Mobile two-factor authentication.

FortiToken Mobile is available for iOS and Android devices from their respective application stores for free.

Every registered FortiGate unit includes two trial tokens for free. Before getting started, we recommend creating a backup configuration file that you can use to restore FortiGate settings.

To use FortiToken Mobile and assign a token to an administrator:

  1. Go to System → Administrators.
  2. Enable Two-factor Authentication for each admin.
  3. Specify FortiToken as Authentication Type and select one of the available tokens from the list.
  4. Enter your email address in the Email field or your phone number in the SMS → Phone number field (to which the data for activating the token will be sent).
  5. Download the FortiToken Mobile app to your phone and enter the data that was sent earlier by scanning the QR code or entering the code manually.
  6. After that, a one-time token code will appear on the screen. It must be entered when authorizing the user.

Please note that when activating a token for a single administrator user, if you lose access to the app that provides the token code, you can also lose access to FortiGate itself.

You can restore access with the help of Selectel engineers. Our specialists, having connected to FortiGate physically, will format it and reset the settings. To do this, create a ticket and specify the device to be formatted.

After that, you can upload the previously saved backup file, which should be pre-edited by deleting the strings responsible for two-factor authentication:

config system admin
        edit "admin"
        set accprofile "super_admin"
        set vdom "root"
        set two-factor fortitoken
        set fortitoken "FTKMOB06EF00208F"
        set email-to "email_example@gmail.com"
        set password ENC ...

If two-factor authentication is enabled for another user, the administrator can transfer the token to another device by disabling two-factor authentication for the user and saving the changes, and then re-configuring two-factor authentication as described above.

Creating Multiple Administrator Accounts

Graphical Interface

For security reasons, we recommend having a separate account for each person or each role that requires administrative access. To create a new user:

  1. Go to System → Administrators.
  2. Select Create new → System administrator.
  3. Enter the name, password, and administrator profile. A profile is a role that has a set of rights. You can configure the profile or create a new one on the Admin Profiles tab.

Configuring Account Lockouts

Graphical Interface

Configure account lockout after reaching the maximum number of entering an incorrect password to prevent password guessing. By default, the number password retry attempts is set to three.

Console Interface

Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to enter a password again (admin-lockout-duration) can be configured within the CLI.

The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The admin-lockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.

To change through the CLI, enter the following:

config system global
set admin-lockout-threshold 3
set admin-lockout-duration 60
end

Renaming the Administrator Account

Graphical Interface

You can improve security by renaming the administrator account. To do this, create a new administrator account with the super_admin admin profile and log in as that administrator (since you cannot edit the username that they are currently logged in under). Then go to System → Administrators and edit the Username. Renaming the admin account makes it more difficult for an attacker to log into FortiOS.

Disabling Unused Interfaces

Graphical Interface

To disable an interface from the GUI:

  1. Go to Network → Interfaces.
  2. Edit the interface to be disabled and set Interface Status to Disabled.

Console Interface

To change through the CLI, enter the following:

config system interface
edit port2
set status down
end

Disabling Unused Protocols

Graphical Interface

You can disable unused protocols that attackers may attempt to use to gather information. Many of these protocols are disabled by default.

Using the config system interface command you can see the current configuration of each of these options for the selected interface and then disable them if required.

Console Interface

To change through the CLI, enter the following:

config system interface
edit <interface-name>
set dhcp-relay-service disable
set pptp-client disable
set arpforward disable
set broadcast-forward disable
set l2forward disable
set icmp-redirect disable
set vlanforward disable
set stpforward disable
set ident-accept disable
set ipmac disable
set netbios-forward disable
set security-mode none
set device-identification disable
set lldp-transmission disable
end