Security best practices for FortiGate

Last update: May 30 2026

Recommendations for improving your security level.

The settings in this guide are valid for FortiOS 6.x and 7.x versions. If you have a different version of FortiOS, you can find documentation for it in the FortiGate control panel in the top-right corner or on the official FortiGate website.

Use secure access protocols

Disable HTTP or Telnet for administrative access to FortiGate. We recommend leaving only HTTPS and SSH access enabled.

Graphical interface

You can change these settings for individual interfaces on the Network → Interfaces tab.

CLI

To change via CLI, enter:

    config system interface
        edit <interface_name>
          set allowaccess https ssh
    end

Enable redirect to HTTPS

Redirect all HTTP connection attempts to HTTPS.

Graphical interface

1. Go to System → Settings → Administrator Settings
2. Enable Redirect to HTTPS.

CLI

To change via CLI, enter:

    config system global
        set admin-https-redirect enable
    end

Change default access ports

Change the default ports for administrative HTTPS and SSH access to non-standard ones. Before changing, ensure that the ports are not being used for other services.

Graphical interface

1. Go to System → Settings → Administrator Settings
2. Change the HTTPS and SSH ports.

CLI

To change via CLI, enter:

    config system global
        set admin-sport 48344
        set admin-ssh-port 48022
    end

Configure short login timeouts

Set the idle time to a short duration to prevent unauthorized access when the administrator is absent.

Graphical interface

FortiOS 6.x

1. Go to System → Settings.
2. In the Idle timeout field, specify the idle time in minutes. The recommended time is five minutes.
3. Click Apply.

FortiOS 7.x

1. Go to System → Settings.
2. In the Admimistration settings → Idle timeout block, specify the idle time in minutes. The recommended time is five minutes.
3. Click Apply.

CLI

FortiOS 6.x

You can configure the timeout between an established SSH connection and authentication. The default value is 120 seconds.

 config system global
     set admin-ssh-grace-time <grace_time>
 end

Specify <grace_time> — the numerical timeout value between an established SSH connection and authentication. The minimum value in seconds is 10, the maximum is 3600.

FortiOS 7.x

config system global
    set admintimeout <administrator_timeout>
end

Specify <administrator_timeout> — the numerical idle time value. The minimum value in minutes is 1, the maximum is 480.

Configure login for trusted addresses

Allow login only from trusted addresses.

Graphical interface

1. Go to System → Administrators.
2. Edit the account, enable Restrict login to trusted hosts.
3. Add trusted addresses or networks.

CLI

To change via CLI, enter:

    config system admin
        edit admin
          set trustedhost1 <ip_address>/<mask>
    end

Create multiple administrator accounts

For security purposes, it is recommended to have a separate account for each administrator. Create multiple administrator accounts.

Configure account lockout

To protect against password brute-forcing, configure account lockout after entering an incorrect password. By default, the number of failed password attempts is three.

Rename the administrator account

Rename the administrator account. This makes it more difficult for an attacker to log in to FortiOS.

Disable unused interfaces

Graphical interface

1. Go to Network → Interfaces.
2. Edit the interface and set the Interface Status parameter to Disabled.

CLI

To change via CLI, enter:

    config system interface
        edit port2
          set status down
    end

Disable unused protocols

You can disable unused protocols that attackers may use for information gathering. Many of these protocols are disabled by default.

CLI

To change via CLI, enter:

    config system interface
        edit <interface_name>
          set dhcp-relay-service disable
          set pptp-client disable
          set arpforward disable
          set broadcast-forward disable
          set l2forward disable
          set icmp-redirect disable
          set vlanforward disable
          set stpforward disable
          set ident-accept disable
          set ipmac disable
          set netbios-forward disable
          set security-mode none
          set device-identification disable
          set lldp-transmission disable
    end