Thursday, October 6, 2016

howto block fortigateOS admin account access

In this quick post I will show you a 1 2 3  step in  blocking the admin account. As you probably know the admin account is a factory account named in the FortiOS

1: you can delete it from config sys admin

2:  if you remove it out of a  fortiOS config and retore that cfg,  the firewall will still re apply it.

It's like a bad rash that won't go away.

To make admin in operative you and to satisfy any security concern you need to hack it. The process is simple.

Define a noaccess profile
apply admin to the noaccess profile
set a password value of  more than 32characters ( beadvise fortiOS has a password max value length )


TIP:  if paranoid

next , define a  two-factor with a email address that's not valid 

And finally apply trusthost statements for that account to a non-used and routed address. The finally configuration would  something like this.

system admin  access profile with NONE

the account admin lockdown


No comments:

Post a Comment