Hardening Administrative Access on FortiOS 7.4.2

Securing your device administratively is paramount in being successful.

All great suggestions, Michael!
I work for a service provider/consulting company. I do sevaral things for FGTs that I have https open on the outside (I don't turn it on on all my fortigates, but some that I get in frequently, I do). I will set max login attempts to 3 with a lockout duration of 24hrs. That way a bad actor only gets 3 trys a day.
config user setting
set auth-lockout-threshold 3
set auth-lockout-duration 86400
end
Also, we have a geoblock list that we created with about 20 foreign contries (all the worst offenders) that we create firewall policies to block in and out.
If it's a 100 series and above, (more specifically if the box has the additional NP6/NP7 processor) we will add the geoblock list to the IPv4 access control list in and out. Boxes with this extra processor offload ipv4 ACL's to this processor. So, traffic denied by these ACL's gets dropped before it even hits your firewall policies - saving your cpu from having to process it.
The other big thing I suggest, if you are going to open https on your outside interface, is to set up an automation stitch to email you if there is a failed login attempt or lockout. Set up an automation trigger for Event IDs "Admin Login Disabled" and "Admin Login Failed". Then create a stitch with that trigger and your email. That way you get notified of any bad attempts. This will probably cause you to turn off https managment on the outside, lol. The first time you get 400-700 emails overnight from some bot trying to hit your outside interface from all over the world, you will probably end up disabling outside access! They get creative.. they'll use 10-20 different IP's from all over, and try all kinds of diffrent usernames. I've got a running list so far of about 60 IP's that I block in addition to my geoblocking. These are IP's that I've seen across multiple disperate fortigates with multple login attempts.
For clients with tighter security concerns, we will disable management on the outside interface and use the fortigate cloud remote access function to tunnel into the Fortigate management.

Risks and mitigating those risks of having the ACME engine for letsencryot certs. And limiting acme access with local-in

Nice to see you're so active again. Very good Video. Thanks for sharing your Knowledge.

You are loved too Mike! Man I could feel it in your voice dude, that was heart felt and I know who you were thinking of when you said it. To ANYONE reading this, your life matters and is important! If you are watching Mike's videos and reading comments like mine, you are already way cooler than most people I know!!! :)
Local in policy locking down remote access 100%! you also prob. wouldn't cover it on this channel but maybe on Packet Llama, but using a proper segmented management network would be a great video... locking down all the botnets from remotely reaching your FortiGate is huge of course (use that Botnet C&C DNS filter!) but not allowing just anyone on your internal interfaces to reach your firewall is also important and I find more often than not it's overlooked. Remember plenty of "incidents" are caused by human error and it's not all just malicious actors trying to get to your infrastructure.
one last tip i like to use, run a full 65k port scan remotely (run once occasionally will not flag anything typically) and document all known / non-stealth (aka responding) ports... you should know what they ALL are doing and why they are responding / open... do this again any time you make any major changes / update your firmware / etc...
shodan.io can be pretty eye opening too

Thanks Mike! I attempted Local-In Policy a while ago but screwed it up, and forgot about it! This has been massively helpful. Thank you!

You are loved too, man. Great video

Thank you for sharing! Love your channel, keep up the hard work Michael!

Great info! Thanks!

Another amazing video, would love to see some videos on FortiManager v7.2! 🙏Thank you!

In addition to local in policies, I do SAML SSO for admin accounts (Entra ID) and it works great 👌

Ha, the lack of face fuzz threw me off a bit. Great video as always. Thank you sir.

Thx dude for the content!

MSP here we use localIn policy for SSH / Admin UI to limit remote access to the box only for our Datacenter IP / Jumphost :)
Totally annoying that you can't configure this in the GUI.

Thanks. Do you planned to make tutorials about ZTNA? 😁

Nice!

Great review!

Great video!! 👍

Happy new year! Great video. Can you do a video on SAML /entra based web filtering please?

Good stuff

Hi,
I'm facing an issue with my Fortigate device. Since upgraded my firewall with FortiOS 7.4.2, the SD-WAN rules are visible in CLI but GUI is showing a loading page only. Please help.

Great video!!! 👍 Any hint for protecting services like Explicit Proxy, Virtual IPs or Virtual Servers?

Hey Mike, I cannot confirm that the Fortigate will respond to HTTP/S requests if ALL Admin users have TrustedHost active. Packets will get dropped. From my understanding, all IPs from trusted host will be granted access to the GUI/SSH

Question regarding FortiToken - I was thinking of how it can be applied in a multi-user team environment. If you have a team of multiple engineers that would need access to the Box, how can you utilize the FortiToken if its tied to a Mobile device? Is there a way to 'fudge' the FortiToken App in a web Browser extension in some manner?

Enjoying the videos, can you please share what software you as to record these, it would be great to do in house training videos like this for my staff. Cheers

Thank you for the video. I‘ve run into far too many FGTs that aren‘t adequately secured for the systems they protect.
Can RADIUS accounts (wildcard / all in matched group) be limited to trusted hosts as well? I‘m in the pocess of moving from all local accounts to FortiAuthenticator with Radius on some FGT clusters and I can‘t come up with a way to match trusted hosts per user with wildcard Radius accounts.