How to configure FortiGate Administrative Access Lockout and other best practices Page 1 of 1

How to configure FortiGate Administrative Access Lockout Print Article

and other best practices

Products
FortiGate
FortiGate v3.0
FortiGate v4.0

Description
This article describes FortiGate administrative access security best practices.

For security reasons you may opt to change the administrative lockout duration to a higher value (listed in seconds) or
change the lockout threshold to a lower value (attempts).

Solution
For example, if you changed the lockout threshold to 1, with a lockout duration of 120 seconds, if someone entered an
incorrect user name and password once they would have to wait 120 seconds before they could attempt to enter again
the user name and password.

From the CLI, type ->

FGT# config system global

FGT(global)# set admin-lockout-duration 60 (this is represented in seconds)
FGT(global)# set admin-lockout-threshold 3 (you can change this value to 2, 5 or any other value)
FGT# end

Other security consideration :

It is best practice to only allow external access to the device when needed (system->network). If you need to keep this
access "open", if possible assign trusted hosts (system->admin) to the account so that only users coming from those
specific IP's can access. If you are unable to do either of the last two, you may opt to change the default port for access
to a non-standard port (port scanners usually do not scan high value ports) to help secure the device (system->admin-
>settings).

To Summarize:

1) Only allow access on external interface when needed

2) When enabling remote access, configure access with trusted hosts
3) Change the default administrative port to a non-standard port
4) Modify lockout duration and threshold values (if required)

Related Articles
Configuring Administrator access to a FortiGate unit using Trusted Hosts

Last Modified Date: 10-07-2009 Document ID: FD30016

http://kb.fortinet.com/kb/viewContent.do?externalId=FD30016&sliceId=1 31/01/2011