Fortinet black logo

Security Best Practices

Copy Link
Copy Doc ID 6e5da3a8-a15e-11ec-9fd1-fa163e15d75b:380333
Download PDF

Security Best Practices

For stronger security, implement the following security best practices.

Administrator access best practices

  • Enable password policy and set requirements for the administrator password. The password policy lets you specify the administrator's password minimum length, type of characters it must contain, and the number of days to password expiry.
  • Use CLI commands to configure the administrator's password lockout and retry attempts.

    For example, to set the lockout duration to two attempts and set a two minute duration before the administrator can log in again, enter the following CLI commands:

    config system global

    set admin-lockout-threshold 2

    set admin-lockout-duration 120

    end

  • Set a lower idle timeout so that unattended workstations are logged out.
  • Use multi-factor authentication and RADIUS authentication for administrators. For more information, see the FortiAuthenticator Administration Guide in the Fortinet Document Library.
  • Limit administrator access. For example, configure trusted hosts and allowaccess.

Encryption best practices

Set a strong encryption level. Use the SSL protocol version (TLS version) that meets PCI compliance or your organization’s security requirements. For example:

config system global

set enc-algorithm high

set fgfm-ssl-protocol tlsv1.2

set oftp-ssl-protocol tlsv1.2

set ssl-protocol tlsv1.2

set webservice-proto tlsv1.2

set ssl-low-encryption disable

end

config fmupdate fds-setting

set fds-ssl-protocol tlsv1.2

end

The enc-algorithm setting allows you to specify the security levels for cipher suites.

  • set enc-algorithm low uses all OpenSSL ciphers.

  • set enc-algorithm medium uses high and medium OpenSSL ciphers.

  • set enc-algorithm high (default) uses only high OpenSSL ciphers.

For more information about cipher security levels, see the FortiAnalyzer Administration Guide.

For more information about setting the SSL protocol version, see the applicable knowledge base article: Setting SSL Protocol Version on FortiManager and Setting SSL Protocol Version on FortiAnalyzer.

Other security best practices

  • Disable unused interfaces.
  • Upgrade firmware to the latest version.
  • Install physical devices in a restricted area.
  • Place the FortiAnalyzer behind a firewall, such as a FortiGate, to limit attempts to access the FortiAnalyzer device.
Note

When FortiAnalyzer is behind a FortiGate, AV and IPS features can be enabled on the FortiGate to further protect FortiAnalyzer from malware or intrusion attacks. See the FortiGate Administration Guide.

  • Set up NTP. For example:

    config system ntp

    set status enable

    set sync_interval 60

    config ntpserver

    edit 1

    set server {<address_ipv4> | <fqdn_str>}

    end

    end

    end

  • For audit purposes:
    • Use named accounts wherever possible.
    • Send logs to a central log destination.
Do not lose the administrator log in information as there is no password recovery mechanism in FortiAnalyzer 5.4.0 and later.

Security Best Practices

For stronger security, implement the following security best practices.

Administrator access best practices

  • Enable password policy and set requirements for the administrator password. The password policy lets you specify the administrator's password minimum length, type of characters it must contain, and the number of days to password expiry.
  • Use CLI commands to configure the administrator's password lockout and retry attempts.

    For example, to set the lockout duration to two attempts and set a two minute duration before the administrator can log in again, enter the following CLI commands:

    config system global

    set admin-lockout-threshold 2

    set admin-lockout-duration 120

    end

  • Set a lower idle timeout so that unattended workstations are logged out.
  • Use multi-factor authentication and RADIUS authentication for administrators. For more information, see the FortiAuthenticator Administration Guide in the Fortinet Document Library.
  • Limit administrator access. For example, configure trusted hosts and allowaccess.

Encryption best practices

Set a strong encryption level. Use the SSL protocol version (TLS version) that meets PCI compliance or your organization’s security requirements. For example:

config system global

set enc-algorithm high

set fgfm-ssl-protocol tlsv1.2

set oftp-ssl-protocol tlsv1.2

set ssl-protocol tlsv1.2

set webservice-proto tlsv1.2

set ssl-low-encryption disable

end

config fmupdate fds-setting

set fds-ssl-protocol tlsv1.2

end

The enc-algorithm setting allows you to specify the security levels for cipher suites.

  • set enc-algorithm low uses all OpenSSL ciphers.

  • set enc-algorithm medium uses high and medium OpenSSL ciphers.

  • set enc-algorithm high (default) uses only high OpenSSL ciphers.

For more information about cipher security levels, see the FortiAnalyzer Administration Guide.

For more information about setting the SSL protocol version, see the applicable knowledge base article: Setting SSL Protocol Version on FortiManager and Setting SSL Protocol Version on FortiAnalyzer.

Other security best practices

  • Disable unused interfaces.
  • Upgrade firmware to the latest version.
  • Install physical devices in a restricted area.
  • Place the FortiAnalyzer behind a firewall, such as a FortiGate, to limit attempts to access the FortiAnalyzer device.
Note

When FortiAnalyzer is behind a FortiGate, AV and IPS features can be enabled on the FortiGate to further protect FortiAnalyzer from malware or intrusion attacks. See the FortiGate Administration Guide.

  • Set up NTP. For example:

    config system ntp

    set status enable

    set sync_interval 60

    config ntpserver

    edit 1

    set server {<address_ipv4> | <fqdn_str>}

    end

    end

    end

  • For audit purposes:
    • Use named accounts wherever possible.
    • Send logs to a central log destination.
Do not lose the administrator log in information as there is no password recovery mechanism in FortiAnalyzer 5.4.0 and later.