Skip to main content
rameshk_FTNT
Staff
rameshk_FTNT
Staff
April 25, 2009

Technical Tip: How to configure FortiGate Administrative Access Lockout

  • April 25, 2009
  • 0 replies
  • 10329 views

Description

 

This article provides FortiGate administrative access security best practices.

For security reasons, opt to change the administrative lockout duration to a higher value (listed in seconds) or change the lockout threshold to a lower value (attempts).


Solution

 

For example, if the lockout threshold is changed to 1, with a lockout duration of 120 seconds, then if someone entered an incorrect user name and password once they would have to wait 120 seconds before they could attempt to enter the user name and password.

From the CLI, type:
 
FGT# config system global
FGT(global)# set admin-lockout-duration 60 (in seconds)
FGT(global)# set admin-lockout-threshold 3 (this value may be 2, 5 or any other value)
FGT# end
 
Other security considerations:
It is best practice to only allow external access to the device when needed (System -> Network). If this access must be kept 'open', then if possible, assign trusted hosts (System -> Admin) to the account so that only users coming from those specific IP's can access. 
If it is not possible to do either of the last two, opt to change the default port for access to a non-standard port (port scanners usually do not scan high value ports) to help secure the device (System -> Admin -> Settings).

Summary:
  1. Only allow access on the external interface when needed.
  2. When enabling remote access, configure access with trusted hosts.
  3. Change the default administrative port to a non-standard port.
  4. Modify lockout duration and threshold values (if required).

 

Related articles:

Technical Tip: Configuring Administrator access to a FortiGate unit using Trusted Hosts

Technical Tip: System administrator best practices for FortiGate and FortiProxy  

Terms & ConditionsAccessibility statement