Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
montyadams
Staff
Staff

Created on ‎05-20-2025 11:43 PM Edited on ‎05-26-2025 12:13 AM By Community Manager

Article Id 392811

Technical Tip: Hardening Best Practices: Secure Network and Devices

Description

 

This article describes essential hardening practices for FortiGate firewalls to enhance security and reduce exposure to both internal and external threats. Improper configuration or insufficient security measures can make even robust firewall devices vulnerable to compromise.


Scope

 

FortiGate.


Solution

 

  1. Change Default Credentials: Default login credentials are publicly known and can be exploited to gain unauthorized access.
  • Change the default administrator password immediately after installation.
  • Use strong, complex passwords that include uppercase and lowercase letters, numbers, and special characters.
  • Disable or rename the default administrator account if it is not required.

 

  1. Configure Secure Administrative Access: Unrestricted administrative access may result in security breaches.
  • Restrict access to the administrative interface to trusted IP addresses. Navigate to System -> Admin -> Administrators, and restrict login access to specific trusted networks.
  • Enable two-factor authentication for administrative access. Navigate to System -> Admin -> Two-Factor Authentication to configure 2FA.
  • Use secure protocols such as HTTPS and SSH. Avoid using HTTP or Telnet.
  • Limit access by configuring local-in policies. They can be configured only through the CLI: Local-in policy.

 

  1. Enable and Configure Logging: Logging enables traffic analysis, event tracking, and incident response.
  • Enable logging for system changes, login attempts, and firewall policy actions. Navigate to Log & Report -> Log Settings and enable logs for system and security events.
  • Configure centralized logging using FortiAnalyzer or an external Syslog server for secure log storage and analysis.

 

  1. Disable Unnecessary Services: Running unnecessary services may introduce potential vulnerabilities.
  • Navigate to System -> Feature Visibility and disable unused services such as HTTP, FTP, SNMP, and Telnet.
  • Use Administrative Access Profiles to control access to management services based on user roles.

 

  1. Use Strong Firewall Policies: Improperly defined firewall rules can allow unauthorized access to the network.
  • Implement restrictive policies that follow the principle of least privilege.
  • Use explicit source and destination addresses instead of broad values such as ANY.
  • Enable logging for all security policies to detect abnormal traffic patterns.

 

  1. Enable Intrusion Prevention System (IPS): IPS detects and blocks known attack patterns, including buffer overflows and injection attacks.
  • Navigate to Security Profiles -> Intrusion Prevention and apply an IPS sensor to relevant policies.
  • Ensure IPS signatures are updated regularly via FortiGuard services.

 

  1. Implement Anti-Malware Scanning: Malware can enter the network via infected content or compromised websites.
  • Navigate to Security Profiles -> Antivirus and Web Filtering, and enable them on the appropriate policies.
  • Ensure antivirus definitions are kept up to date using FortiGuard updates.

 

  1. Configure VPNs Securely: Unsecured VPNs may expose the internal network to unauthorized users.
  • Use strong encryption protocols such as IPsec with AES-256.
  • Implement certificate-based authentication instead of pre-shared keys.
  • Use address groups and user groups to restrict VPN access.

 

  1. Perform Regular Software and Firmware Updates: Outdated software may contain known vulnerabilities.
  • Navigate to System -> Firmware to check for available firmware updates and apply them promptly.
  • Ensure FortiGuard services are enabled for real-time threat intelligence and security updates.

 

  1. Enable High Availability (HA): HA configurations provide redundancy and ensure firewall continuity during outages.
  • Navigate to System -> HA and configure active-passive or active-active HA modes to maintain service availability.

 

  1. Limit User Access and Roles: Unrestricted access increases the risk of accidental or malicious changes.
  • Navigate to System -> Admin -> Administrators and define roles based on the principle of least privilege.
  • Use a strong password with special characters for the admin user.
  • Use RADIUS, LDAP, FortiToken, or local user authentication to manage access.

 

  1. Secure DNS Settings: Improper DNS configurations can lead to traffic interception or redirection.
  • Configure trusted DNS servers to prevent DNS spoofing and poisoning.
  • Enable DNS filtering to block access to malicious domains.

 

  1. Use FortiGuard Security Services: FortiGuard provides real-time protection against emerging threats.
  • Navigate to System -> FortiGuard and ensure services such as IPS, Antivirus, Anti-Spam, and Web Filtering are activated and subscribed.

 

Related documents:

FortiGate Administration Guide

FortiGate Best Practices for Security

Best practice for Fortinet admins

Best Practices and Hardening

2517
Suggest New Article
Article Feedback
Comments
GILMENDO
Staff & Editor
Staff & Editor
‎05-23-2025 05:49 PM

great job thank you Monty!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.