In this quick post I will show you a 1 2 3 step in blocking the admin account. As you probably know the admin account is a factory account named in the FortiOS
1: you can delete it from config sys admin
2: if you remove it out of a fortiOS config and retore that cfg, the firewall will still re apply it.
It's like a bad rash that won't go away.
To make admin in operative you and to satisfy any security concern you need to hack it. The process is simple.
Define a noaccess profile
apply admin to the noaccess profile
set a password value of more than 32characters ( beadvise fortiOS has a password max value length )
e.g
TIP: if paranoid
next , define a two-factor with a email address that's not valid
And finally apply trusthost statements for that account to a non-used and routed address. The finally configuration would something like this.
system admin access profile with NONE
the account admin lockdown
Ken
No comments:
Post a Comment