Safety recommendations

Last update: September 06 2024

Safety recommendations

Recommendations that will improve safety.

Use secure access protocols⁠

Deny HTTP or Telnet administrative access to the FortiGate unit. We recommend leaving only HTTPS and SSH access.

Graphical interface

You can change these settings for individual interfaces on the tab Network → Interfaces.

Console interface

To change via the CLI, enter:

    config system interface
    edit <interface-name>
    set allowaccess https ssh
    end

Enable redirection to HTTPS⁠

Redirect all HTTP connection attempts to HTTPS.

Graphical interface

1. Go to System → Settings → Administrator Settings
2. Turn it on Redirect to HTTPS.

Console interface

To change via the CLI, enter:

    config system global
    set admin-https-redirect enable
    end

Change the default access ports⁠

Change the default ports for administrator access via HTTPS and SSH to non-standard ports. Before changing, make sure that the ports are not used for other services.

Graphical interface

1. Go to System → Settings → Administrator Settings
2. Change the HTTPS and SSH ports.

Console interface

To change via the CLI, enter:

    config system global
    set admin-port 48008
    set admin-sport 48344
    set admin-ssh-port 48022
    set admin-telnet-port 48032
    end

Configure short entry timeouts⁠

Set the idle time to a short time to avoid unauthorized access when the administrator is not present.

Graphical interface

1. Go to System → Settings.
2. Enter a value Idle timeout. The recommended time is five minutes.

Console interface

You can use the following command to configure grace time between SSH connection establishment and authentication. The range can be from 10 to 3600 seconds, with the default being 120 seconds. For example, you can set the time to 30 seconds:

    config system global
    set admin-ssh-grace-time 30
    end

Configure login for trusted addresses⁠

Allow login only from trusted addresses.

Graphical interface

1. Go to System → Administrators.
2. Edit the account, turn on Restrict login to trusted hosts.
3. Add trusted addresses or networks.

Console interface

To change via the CLI, enter:

    config system admin
    edit admin
    set trustedhost1 <IP/MASK>
    end

Configure two-factor authentication⁠

For enhanced security, configure two-factor authentication for the administrator. FortiOS supports FortiToken and FortiToken Mobile two-factor authentication. FortiToken Mobile is available free of charge for iOS and Android devices in their respective app stores.

Each registered FortiGate unit includes two tokens at no charge. Before you start, you must create a configuration backup file that you can use to restore FortiGate settings.

To use FortiToken Mobile and assign the token to an administrator:

1. Go to System → Administrators.
2. Select Two-factor Authentication for each administrator.
3. As. Authentication Type Specify FortiToken and select one of the available tokens.
4. Enter your e-mail address in the field Email or phone number in the field SMS → Phone numberto which the data for token activation will be sent.
5. Download the FortiToken Mobile app on your cell phone, and in it, enter the data that was sent earlier for activation by scanning the QR code or entering the code manually.
6. After that, a one-time token code will appear on the screen, which must be entered when authorizing the user.

When activating a token for a single admin user, if you lose access to the application providing the token, you can lose access to the FortiGate itself.

Access can be restored by Selectel engineers physically connecting to the FortiGate and resetting the FortiGate. To do this file a ticketIf you want to format the device, you must specify the device to be formatted.

After that you can download the previously saved backup file, which should be edited beforehand by deleting the lines responsible for two-factor authentication:

config system admin
        edit "admin"
        set accprofile "super_admin"
        set vdom "root"
        set two-factor fortitoken
        set fortitoken "FTKMOB06EF00208F"
        set email-to "email_example@gmail.com"
        set password ENC ...

In the case where two-factor authentication is enabled for another user, the administrator can transfer the token to another device by turning off two-factor authentication for the user and saving the changes, then repeating the two-factor authentication setup as described above.

Create multiple administrator accounts⁠

For security reasons, it is recommended to have a separate account for each administrator. Create multiple administrator accounts.

Configure account lockout⁠

For password protection set up account lockout after entering an incorrect password. The default number of unsuccessful password attempts is three.

Rename the administrator account⁠

Rename the administrator account. This makes it difficult for an attacker to enter FortiOS.

Disable unused interfaces⁠

Graphical interface

1. Go to Network → Interfaces.
2. Edit the interface and set the parameter to Interface Status significance Disabled.

Console interface

To change via the CLI, enter:

    config system interface
    edit port2
    set status down
    end

Disable unused protocols⁠

You can disable unused protocols that attackers can use to gather information. Many of these protocols are disabled by default.

Console interface

To change via the CLI, enter:

    config system interface
    edit <interface-name>
    set dhcp-relay-service disable
    set pptp-client disable
    set arpforward disable
    set broadcast-forward disable
    set l2forward disable
    set icmp-redirect disable
    set vlanforward disable
    set stpforward disable
    set ident-accept disable
    set ipmac disable
    set netbios-forward disable
    set security-mode none
    set device-identification disable
    set lldp-transmission disable
    end