Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Rathan_FTNT
Staff
Staff

Created on ‎10-01-2020 01:47 AM Edited on ‎03-19-2025 07:15 AM By Moderator

Article Id 189413

Technical Tip: System administrator best practices for FortiGate and FortiProxy

Description


This article describes changes implemented to make administrative access to the GUI and CLI more secure.

 

Scope

 

FortiGate, FortiProxy.

Solution


Disable administrative access to the external (Internet-facing) interface.

When possible, do not allow administration access on the external (Internet-facing) interface.
To disable administrative access, go to Network -> Interfaces, edit the external interface, and disable HTTPS, PING, HTTP, SSH, and TELNET under Administrative Access.

From CLI:

 

config system interface
    edit <external-interface-name>
    unset allowaccess
end

 

Allow only HTTPS access to the GUI and SSH access to the CLI.

For greater security never allow HTTP or Telnet administrative access to a FortiGate interface, only allow HTTPS and SSH access.
Change these settings for individual interfaces by going to Network -> Interfaces and adjusting the administrative access to each interface.

From CLI:

 

config system interface
    edit <interface-name>
        set allowaccess https ssh
end

 

Require TLS v1.2 for HTTPS administrator access.

Use the following command to require TLS v1.2 for HTTPS administrator access from GUI:

 

config system global
    set admin-https-ssl-versions tlsv1-2
end

 

TLS 1.2 is currently the most secure SSL/TLS-supported version for SSL-encrypted administrator access.
Re-direct HTTP GUI logins to HTTPS.
Go to System -> Settings -> Administrator Settings and enable 'Redirect to HTTPS' to make sure that all attempted HTTP login connections are redirected to HTTPS.

From CLI:

 

config system global
    set admin-https-redirect enable
end

 

Change the HTTPS and SSH admin access ports to non-standard ports.

Go to System -> Settings -> Administrator Settings and change the HTTPS and SSH ports. Change the default port configurations for HTTPS and SSH administrative access for added security. To connect to a non-standard port, the new port number has to be included in the collection request.

 

For example:

 

From CLI:

 

config system global
    set admin-sport 7734
    set admin-ssh-port 2345
end

 

If the HTTPS or SSH port numbers are changed, make sure that the changes do not conflict with ports used for other services.

Maintain short login timeouts.
Set the idle timeout to a short time to avoid the possibility of an administrator walking away from their management computer and leaving it exposed to unauthorized personnel.

 

To set the administrator idle timeout, go to System -> Settings and enter the amount of time for the Idle timeout. A best practice is to keep the default time of 5 minutes.

From CLI.

 

config system global
    set admintimeout 5
end

 

Use the following command to adjust the grace time permitted between making an SSH connection and authenticating. The range can be between 10 and 3600 seconds, the default is 120 seconds (minutes). Shortening this time decreases the chances of someone attempting a brute force attack from being successful.

 

For example, set the time to 30 seconds.

 

config system global
    set admin-ssh-grace-time 30
end

 
Set the idle timeout to a short time to avoid the possibility of an administrator walking away from the management computer and leaving it exposed to unauthorized personnel.
 
To set the administrator idle timeout, go to System -> Settings and enter the amount of time for the Idle timeout.
A best practice is to keep the default time of 5 minutes.
 
From CLI:
 
config system global
    set admintimeout 5
end
 
Use the following command to adjust the grace time permitted between making an SSH connection and authenticating. The range can be between 10 and 3600 seconds, the default is 120 seconds (minutes). Shortening this time decreases the chances of someone attempting a brute force attack from being successful.
 
For example, set the time to 30 seconds.
 
config system global
    set admin-ssh-grace-time 30
end
 
Restrict logins from trusted hosts.
 
Setting up trusted hosts for an administrator limits the addresses from where they can log into FortiOS. The trusted host configuration applies to most forms of administrative access including HTTPS, SSH, and SNMP. When identifying a trusted host for an administrator account, FortiOS accepts that administrator’s login only from one of the trusted hosts. A login, even with proper credentials, from a non-trusted host is dropped.
 
Even if trusted hosts are configured, if the ping administrative access is on, on a FortiGate interface, it will respond to ping requests from any IP address.
 

Adryan_you_0-1733706701500.png

 

For FortiProxy (v7.0/v7.2/v7.4/v7.6), the trusted host setting applies to the ping service. FortiProxy only responds to ping requests from trusted hosts. (The ping request will fail if the device is not inside the trusted host list).


To identify trusted hosts, go to System -> Administrators, edit the administrator account, enable Restrict login to trusted hosts, and add up to ten trusted host IP addresses.
 
Note:
Any local admin account on FortiGate has a limit of adding only 10 trusted hosts(either direct /32 IP address or network subnet) and cannot add more trusted hosts either in GUI or in CLI.
Also, the trusted host cannot be added to an SSO admin account. Refer to this article: Technical Tip: How Trusted Hosts work with SSO Admin accounts on the FortiGate for more information.
 
From CLI:
 
config system admin
    edit <administrator-name>
        set trusthost1 172.25.176.23 255.255.255.255
        set trusthost2 172.25.177.0 255.255.255.0
end
 
From the GUI:
  1. The list of administrators can be found under System -> Administrators.
  2. Select an Administrator and then edit.


Ade_23_0-1734377858627.png

 

  1. An option in the administrator edit page can be seen to enable trusted hosts ('Restrict login to trusted hosts').
  2. List the host IP or network addresses that can access the firewall.

 Ade_23_1-1734377858630.png

 

Trusted host IP addresses can identify individual hosts or subnets. Just like firewall policies, FortiOS searches through the list of trusted hosts in order and acts on the first match it finds. When trusted hosts are configured, start by adding specific addresses at the top of the list. Follow with more general IP addresses.
Adding addresses is unnecessary for all trusted hosts as long as all specific addresses are above all of the 0.0.0.0 0.0.0.0 addresses.
 
Note: If administrative access is required via Remote Access VPN, the VPN Remote Access subnet ranges have to be added as a trusted host subnet.
 
Note: If administrative access is required via Remote Access VPN, add the VPN RA subnet range as a trusted host subnet. 
 
Note: If the trusted host is set for an administrator and the user loses the trusted host network, the user needs to access FortiGate. The only way is to access FortiGate through a console connection.
 
Set up two-factor authentication for administrators.
 
FortiOS supports FortiToken and FortiToken Mobile 2-factor authentication. FortiToken Mobile is available for iOS and Android units from their respective application stores.
Every registered FortiGate unit includes two trial tokens for free. Purchase additional tokens from the reseller or Fortinet.
To assign a FortiToken to an administrator, go to System -> Administrators and select 'Enable Two-factor Authentication' for each administrator.
 
Create multiple administrator accounts.
 
Rather than allowing all administrators to access ForiOS with the same administrator account, create accounts for each person or each role that requires administrative access.
This configuration allows for tracking of the activities of each administrator or administrative role.
 
To let administrators have different functions, can add different administrator profiles.
Go to System -> Admin Profiles and select' Create New'.
 
Modify administrator account lockout duration and threshold values.
 
By default, FortiGate sets the number of password retries at three, allowing the administrator a maximum of three attempts to log into their account before locking the account for a set amount of time.
Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to enter a password again (admin-lockout-duration) can be configured within the CLI.
 
From CLI:
 
config system global
    set admin-lockout-threshold <failed_attempts>
    set admin-lockout-duration <seconds>
end
 
The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10.
The admin-lockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.
Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the FortiGate.
 
Example.
To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five-minute duration before the administrator can try to log in again, enter the commands:
 
config system global
    set admin-lockout-threshold 1
    set admin-lockout-duration 300
end
 

 

Rename the admin administrator account.

 
Improve security by renaming the admin account.
To do this, create a new administrator account with the super_admin admin profile and log in as that administrator.
Then go to System -> Administrators edit the admin administrator and change the User Name. Renaming the admin account makes it more difficult for an attacker to log into FortiOS.

Add administrator disclaimers.

FortiOS can display a disclaimer before or after logging from GUI or CLI (or both).
In either case, the administrator reads and accepts the disclaimer before it is possible to proceed.

Use the following command to display a disclaimer before logging in:
 
config system global
    set pre-login-banner enable
end
 
Use the following command to display a disclaimer after logging in:
 
config system global
    set post-login-banner enable
end
 
Customize the replacement messages for these disclaimers by going to System -> Replacement Messages.
Select 'Extended View to view' and edit the Administrator replacement messages.

From the CLI:
 
config system replacemsg admin pre_admin-disclaimer-text
config system replacemsg admin post_admin-disclaimer-text
 

Configure local-in policy to allow only authorized IPs and block unknown/malicious IPs from accessing the FortiGate:

Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access ... 

 

FortiOS: Restricting Local Administrator Logins

FortiOS: starting from version 7.6.0.
allows restrictions on local administrator logins when the FortiGate can access the remote authentication server. This feature enhances system security by controlling login methods.

 

From the CLI:

 

config system global
    set admin-restrict-local {all | non-console-only | disable}
end

 

Options:

 

all: Restricts all local admin logins, including the console.
non-console-only: Restricts non-console methods (e.g., SSH) but allows console access.
disable: No restrictions on local admin logins.

57486
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.