FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gcortes1
Staff
Staff
Article Id 196911

Description

 
This article shows important notes for the use of characters and symbols within the FortiOS configuration.


Scope

 

FortiGate.

 

Solution

 

Naming Rules and Restrictions:

The following are the specific rules for the FortiGate.

Duplicate Name Issues:

 

  • A VLAN cannot have the same name as a physical interface.
  • An Address must not have the same name as an Address Group.
  • An Address or Address Group must not have the same name as a Virtual IP Address.
  • A Service cannot have the same name as a Service Group.
  • A VLAN must not have the same name as a VDOM.
  • A VLAN or VDOM must not have the same name as a Zone.

Character Restrictions:

A name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), spaces, and the special characters - and _. Other characters are not allowed.

The special characters < > ( ) # " ' are allowed only in the following fields:

 

  • Passwords.
  • Replacement message.
  • Firewall policy description.
  • IPS customized signature.
  • Antivirus-blocked file pattern.
  • Web Filter banned word.
  • Spam filter banned word.
  • Interface PPPoE client user name.
  • Modem dialup account user name.
  • Modem dialup telephone number.

Note: To avoid using spaces in a name try using the '-' or '_'.
There are a few name fields where it is not an issue but most of them will trigger serious and unpredictable issues if there is a space in the name field of the object.

 

Administrator username restrictions:

 

Before FortiOS 7.4.0, there were no limitations on the characters that could be used for an administrator's username (other than the limits imposed with the FortiGate's Unicode UTF-8 encoding scheme, see Language support and regular expressions).

 

From FortiOS 7.4.0 and FortiOS 7.6.0 onward, limitations were added to the available characters to prevent homoglyph attacks (aka usernames that are visually the same but technically different and can cause confusion during security log analysis). Going forward, new administrator accounts are generally limited to the same character set as other locations in FortiOS: numbers (0-9), uppercase and lowercase letters (A-Z, a-z), spaces, and the special characters - and _. 

 

However, note that there are some additional rules for admin usernames with regards to character restrictions:

  • Usernames cannot begin with -, but they can end with $.
  • The naming rules are enforced on new administrator accounts as well as when old administrator accounts are renamed, but they are not enforced on existing admin accounts that existed before the FortiGate is upgraded to 7.4 or later.
  • At the time of this writing, dots (.) are not allowed to be used in administrator usernames, but it will be allowed once again in the upcoming FortiOS 7.4.5 and FortiOS 7.6.1.

Note that the dot is not allowed to be used at the start of the admin username (i.e. '.admin' is disallowed, but 'test.admin' will be allowed).

  • When editing existing admin accounts with now-disallowed characters, a warning will be shown in the CLI but the name will not be otherwise modified:

FortiGate # config system admin

FortiGate (admin) # edit ??tst

To prevent homoglyph attacks using unicode

New rules are added for admin user names:

Uses only these ascii characters: a-z, A-Z, 0-9, _, -

Cannot begin with -, and can end with $

While these rules are not enforced on existing

user names, rename to conform to the new rules

is recommended

FortiGate (??tst) # 

 

Length of Fields Restrictions:
Most name fields accept 35 characters. The exceptions are:

Field

 

Characters allowed

VLAN name

15

RADIUS server secret

15

LDAP server common name identifier

15

Admin user password

32

Schedule names

32

Local certificate email

60

Modem dialup account user name, password, phone number fields

63

Firewall policy comments

63

RADIUS, LDAP server domain name

63

IPsec phase 1 name **

15

IPSec phase 1 local/peer ID

63

IPS custom signature name

63

Spam Filter MIME header name

63

Antivirus file block pattern

63

Local certificate organizational unit, organization, locality, state/province fields

127

IPSec phase 1 pre-shared key or certificate name

127

Web Filter banned word, URL, URL exempt, Pattern fields

127

Spam Filter RBL server name, email address, MIME header body

127

LDAP server distinguished name

128

IPS custom signature

511

Replacement message

 

1024

 

Related documents: