Thursday, October 6, 2016

howto block fortigateOS admin account access

In this quick post I will show you a 1 2 3  step in  blocking the admin account. As you probably know the admin account is a factory account named in the FortiOS

1: you can delete it from config sys admin

2:  if you remove it out of a  fortiOS config and retore that cfg,  the firewall will still re apply it.


It's like a bad rash that won't go away.

To make admin in operative you and to satisfy any security concern you need to hack it. The process is simple.


Define a noaccess profile
apply admin to the noaccess profile
set a password value of  more than 32characters ( beadvise fortiOS has a password max value length )

e.g






TIP:  if paranoid







next , define a  two-factor with a email address that's not valid 


And finally apply trusthost statements for that account to a non-used and routed address. The finally configuration would  something like this.


system admin  access profile with NONE


the account admin lockdown


Ken

No comments:

Post a Comment