Description

Scope

FortiGate.

Solution

Naming Rules and Restrictions:

The following are the specific rules for the FortiGate.

Duplicate Name Issues:

• A VLAN cannot have the same name as a physical interface.
• An Address must not have the same name as an Address Group.
• An Address or Address Group must not have the same name as a Virtual IP Address.
• A Service cannot have the same name as a Service Group.
• A VLAN must not have the same name as a VDOM.
• A VLAN or VDOM must not have the same name as a Zone.
  
  

Character Restrictions:

A name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), spaces, and the special characters - and _. Other characters are not allowed.

The special characters < > ( ) # " ' are allowed only in the following fields:

• Passwords.
• Replacement message.
• Firewall policy description.
• IPS customized signature.
• Antivirus-blocked file pattern.
• Web Filter banned word.
• Spam filter banned word.
• Interface PPPoE client user name.
• Modem dialup account user name.
• Modem dialup telephone number.
  
  

CLI Example

Attempting to create user with an invalid character will result in an error message stating that the supplied string contains an XSS vulnerability.
E.g:

--------------------------------

FGT (root) # config user local

FGT (local) # edit "Jimmy O'Hara"

The string contains XSS vulnerability characters

value parse error before 'Jimmy O'Hara'
Command fail. Return code -173

--------------------------------

Therefore, an API call made to a FortiGate is expected to fail with the same response.

Note: To avoid using spaces in a name try using the '-' or '_'.
There are a few name fields where it is not an issue but most of them will trigger serious and unpredictable issues if there is a space in the name field of the object.

Administrator username restrictions:

Before FortiOS 7.4.0, there were no limitations on the characters that could be used for an administrator's username (other than the limits imposed with the FortiGate's Unicode UTF-8 encoding scheme, see Language support and regular expressions).

From FortiOS 7.4.0 and FortiOS 7.6.0 onward, limitations were added to the available characters to prevent homoglyph attacks (aka usernames that are visually the same but technically different and can cause confusion during security log analysis). Going forward, new administrator accounts are generally limited to the same character set as other locations in FortiOS: numbers (0-9), uppercase and lowercase letters (A-Z, a-z), spaces, and the special characters - and _. 

However, note that there are some additional rules for admin usernames with regards to character restrictions:

• Usernames cannot begin with -, but they can end with $.
• The naming rules are enforced on new administrator accounts as well as when old administrator accounts are renamed, but they are not enforced on existing admin accounts that existed before the FortiGate is upgraded to 7.4 or later.
• At the time of this writing, dots (.) are not allowed to be used in administrator usernames, but it will be allowed once again in the upcoming FortiOS 7.4.5 and FortiOS 7.6.1.

Note that the dot is not allowed to be used at the start of the admin username (i.e. '.admin' is disallowed, but 'test.admin' will be allowed).

• When editing existing admin accounts with now-disallowed characters, a warning will be shown in the CLI but the name will not be otherwise modified:
  
  

FortiGate # config system admin

FortiGate (admin) # edit ??tst

To prevent homoglyph attacks using unicode

New rules are added for admin user names:

Uses only these ascii characters: a-z, A-Z, 0-9, _, -

Cannot begin with -, and can end with $

While these rules are not enforced on existing

user names, rename to conform to the new rules

is recommended

FortiGate (??tst) # 

Length of Fields Restrictions:
Most name fields accept 35 characters. The exceptions are:

Related documents:

• Technical Tip: IPsec VPN phase1 interface name characters limitation best practice
• New features or enhancements