Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Haris
New Contributor

Is there a way to disable the reset switch on the Fortigate firewalls?

Hi, 

 

We'd like to disable the console port and the reset switch on the Fortigate firewalls. We've already found the documentation for disabling the console port, anyhow we can't find anything related to disabling the reset switch located on the back of the firewall. Is there any way to disable this switch and thus prevent the possibility that someone abuse it?

 

 

4 REPLIES 4
ede_pfau
SuperUser
SuperUser

No config setting that I know of.

'there is no security without physical security' - as long as anybody has physical access he/she can sabotage a FGT anytime. My best bet would be to close the hole in front of the reset key, using superglue or a security screw.

School?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Haris
New Contributor

No, it's not a school. Anyhow we'd like to avoid any possibility that someone could eventually do something like that. We'll disable the console port as well and allow access from only limited sources. 

Thank you for info ;)

Dave_Hall
Honored Contributor

If you are going through the trouble of "locking down" the fgt, you may consider disabling the auto install feature. 

 

Personally, I rather physically lock down the fgt (e.g. either with a small cage or rack enclosure, in a locked/secure room/closet) than risk "bricking" a fgt due to a corrupted flash or boot disk from a UPS (or power) failure. 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
tanr
Valued Contributor II

A way to lock it down but keep the auto install available for emergencies is to use the same CLI commands Dave listed, and just change the names of the files it looks for.  Don't know how fully secure that is (I would hope it doesn't directly request the file by name) but it would block most users.

 

Physical security and monitoring is really key.  For example, one of our locations has the network equipment in a locked enclosure, plus anyone in that room can see that the security cameras recording their activity there to an offsite location.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors