Safety recommendations
Recommendations that will improve safety.
Use secure access protocols
Deny HTTP or Telnet for administrative access to the FortiGate. We recommend leaving only HTTPS and SSH access.
- UI
- Console
You can change these settings for individual interfaces on the Network → Interfaces tab.
To change via the CLI, enter:
config system interface
edit <interface-name>
set allowaccess https ssh
end
Enable redirection to HTTPS
Redirect all HTTP connection attempts to HTTPS.
- UI
- Console
- Go to System → Settings → Administrator Settings
- Enable Redirect to HTTPS.
To change via the CLI, enter:
config system global
set admin-https-redirect enable
end
Change default access ports
Change the default ports for administrator access via HTTPS and SSH to non-standard ports. Make sure that the ports are not used for other services before changing them.
- UI
- Console
- Go to System → Settings → Administrator Settings
- Change the HTTPS and SSH ports.
To change via the CLI, enter:
config system global
set admin-port 48008
set admin-sport 48344
set admin-ssh-port 48022
set admin-telnet-port 48032
end
Configure short entry timeouts
Set the idle time to a short time to avoid unauthorized access when the administrator is not present.
- UI
- Console
- Go to System → Settings.
- Enter the value of Idle timeout. The recommended time is five minutes.
You can use the following command to configure the grace time between SSH connection establishment and authentication. The range can be from 10 to 3600 seconds, the default is 120 seconds. For example, you can set the time to 30 seconds:
config system global
set admin-ssh-grace-time 30
end
Configure login for trusted addresses
Allow login only from trusted addresses.
- UI
- Console
- Go to System → Administrators.
- Edit the account, enable Restrict login to trusted hosts.
- Add trusted addresses or networks.
To change via the CLI, enter:
config system admin
edit admin
set trustedhost1 <IP/MASK>
end
Configure two-factor authentication
Configure two-factor administrator authentication for stronger security. FortiOS supports FortiToken and FortiToken Mobile two-factor authentication. FortiToken Mobile is available free of charge for iOS and Android devices in their respective app stores.
Each registered FortiGate unit includes two tokens for free. Before you begin, you must create a configuration backup file that you can use to restore FortiGate settings.
To use FortiToken Mobile and assign the token to an administrator:
- Go to System → Administrators.
- Select Two-factor Authentication for each administrator.
- Specify FortiToken as Authentication Type and select one of the available tokens.
- Enter your email address in the Email field or phone number in the SMS → Phone number field to which the token activation data will be sent.
- Download the FortiToken Mobile app on your cell phone, and in it, enter the data that was sent earlier for activation by scanning the QR code or entering the code manually.
- After that, a one-time token code will appear on the screen, which must be entered when authorizing the user.
When activating a token for a single admin user, if you lose access to the application providing the token, you can lose access to the FortiGate itself.
Access can be restored by Selectel engineers who, by physically connecting, will format the FortiGate and reset the settings. To do this, create a ticket, specifying the device to be formatted.
After that you can load the previously saved backup file, which should be edited beforehand by deleting the lines responsible for two-factor authentication:
config system admin
edit "admin"
set accprofile "super_admin"
set vdom "root"
set two-factor fortitoken
set fortitoken "FTKMOB06EF00208F"
set email-to "email_example@gmail.com"
set password ENC ...
In the case where two-factor authentication is enabled for another user, the administrator can transfer the token to another device by turning off two-factor authentication for the user and saving the changes, then repeating the two-factor authentication setup as described above.
Create multiple administrator accounts
For security reasons, it is recommended to have a separate account for each administrator. Create multiple administrator accounts.
Configure account lockout
To protect against password mining configure account lockout after entering an incorrect password. The default number of unsuccessful password attempts is three.
Rename the administrator account
Rename the administrator account. This makes it difficult for an attacker to enter FortiOS.
Disable unused interfaces
- UI
- Console
- Go to Network → Interfaces.
- Edit the interface and set Interface Status to Disabled.
To change via the CLI, enter:
config system interface
edit port2
set status down
end
Disable unused protocols
You can disable unused protocols that attackers can use to gather information. Many of these protocols are disabled by default.
- Console
To change via the CLI, enter:
config system interface
edit <interface-name>
set dhcp-relay-service disable
set pptp-client disable
set arpforward disable
set broadcast-forward disable
set l2forward disable
set icmp-redirect disable
set vlanforward disable
set stpforward disable
set ident-accept disable
set ipmac disable
set netbios-forward disable
set security-mode none
set device-identification disable
set lldp-transmission disable
end