Before we begin, I just want to say that Fortinet’s documentation is always a great resource.
It’s best to secure the device by not enabling access from insecure locations, but sometimes it’s necessary. Firewalls almost always interface with the internet, and most of the time we enable remote access from the internet to make our lives easier when troubleshooting an issue while not being behind the firewall at the time.
Here are some steps for simple device hardening with FortiGate in order to help eliminate vulnerable spots when allowing access from the internet:
- Enable a password policy
- Modify lockout policy/duration as necessary
- Allow admin access from only trusted hosts
- Modify default access TCP ports
- Create a new admin account named something different, and remove the default admin account
- Make sure a login banner is active (certain cyber laws require explicit notification that the user attempting login should have authorization)
- Use dual factor authentication to gain admin access to the device
- Logging, always!
These steps are listed with both 5.2 and 5.4 FortiOS firmwares.
Enabling a password policy
This is great to do if you have multiple accounts on your FortiGate. With a password policy, a user cannot change their super complex password to something with only a few letters. A password policy enforces certain specifics to setting the password. For example, you can set the character requirements as well as password reuse/expiration. Check out the below images for 5.2 and 5.4. Notice you can enable this for VPN accounts and admin accounts.
Login failure lockout duration and threshold
By default within FortiGate, when you mistype your password three times, it locks you out of the firewall for five minutes (even though all documentation claims 60 seconds). This is a great defense against applications that attempt to brute for the firewall user/pass. Increasing the time the user is locked out can be a good idea to keep the bad guys from knocking, but could also really put a damper on your day if you lock yourself out of your firewall for X amount of time.
The commands to alter your login failure lockout duration are the same in both firmwares:
config sys global
set admin-lockout-duration X (seconds)
To increase the threshold (how many incorrect login attempts you can have):
config sys global
set admin-lockout-threshold (1-10 attempts)
Limit logins to only trusted hosts
It’s very insecure allow logins from anywhere on the internet, especially when you should know which sources you’ll be logging in from.
Under the administrators options, you can select the trusted hosts (IP networks) that can login (I’m doing it with a Mirazon account in this case). You could also modify the default admin account.
Change default port numbers used for logins
I found myself in a debate one time about the security of changing default port numbers, and a friend said that changing your login port numbers is about as secure as hiding your keys under the front door mat. While he was most certainly correct, security by obscurity is better than nothing. So, by changing the default port numbers from 443 or 80, some bots that try to log in will not find the open login due to your new ports not being in its scanning script.
In the following examples I am changing the default port of 443 to 8081.
In summary, there are tons of things to do to increase device security, the above are just a few simple ones to start with.
Most importantly, if you don’t need to allow remote logins to the device, why even enable it? Disable the login options under the interface. I believe the best practice is to have an out-of-band management PC that might connect directly into the management port. To access the firewall, you have to access this machine.
Changing port numbers and implementing the other options are great ways to help reduce login failure attempts or unauthorized access. Another great option I won’t go into today is dual factor authentication. By default with your FortiGate you get two licenses for two factor – why not use it for admin access?
The importance of logging is one thing that cannot be underestimated. When logging is enabled you know exactly what happened – if someone tried to log in, from where, what username, and if they failed or were successful.