Fortinet black logo

Handbook

System settings

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:295300
Download PDF

System settings

There are several system settings that should be configured once your FortiGate is installed:

Default administrator password

By default, your FortiGate has an administrator account set up with the username admin and no password. In order to prevent unauthorized access to the FortiGate, it is highly recommended that you add a password to this account.

To change the default password:
  1. Go to System > Administrators.
  2. Edit the admin account.
  3. Select Change Password.
  4. Enter the New Password and re-enter the password for confirmation.
  5. Select OK.

For details on selecting a password and password best practices, see the section on Passwords.

It is also recommended to change the user name of this account; however, since you cannot change the user name of an account that is currently in use, a second administrator account will need to be created in order to do this.

For more information about creating and using administrator accounts, see the System administration chapter.

Settings

Settings can be accessed by going to System > Settings. On this page, you can change the Host name, set the system time and identify time zone in System Time, configure HTTP, HTTPS, SSH, and Telnet ports as well as idle timeout in Administration Settings, designate the Password Policy, and manage display options and designate inspection mode in View Settings.

Changing the host name

The host name of your FortiGate appears in the Hostname row in the System Information widget on the Dashboard. The host name also appears at the CLI prompt when you are logged in to the CLI, and as the SNMP system name.

To change the host name on the FortiGate

Go to System > Settings and type in the new name in the Host name row. The only administrators that can change a FortiGate’s host name are administrators whose admin profiles permit system configuration write access. If the FortiGate is part of an HA cluster, you should use a unique host name to distinguish the FortiGate from others in the cluster.

System time

For effective scheduling and logging, the FortiGate system time and date should be accurate. You can either manually set the system time and date or configure the FortiGate to automatically synchronize with a Network Time Protocol (NTP) server.

NTP enables you to keep the FortiGate time synchronized with other network systems. By enabling NTP on the FortiGate, FortiOS will check with the NTP server you select at the configured intervals. This will also ensure that logs and other time-sensitive settings on the FortiGate are correct.

The FortiGate maintains its internal clock using a built-in battery. At start up, the time reported by the FortiGate will indicate the hardware clock time, which may not be accurate. When using NTP, the system time might change after the FortiGate has successfully obtained the time from a configured NTP server.

note icon

By default, FortiOS has the daylight savings time configuration enabled. The system time must be manually adjusted after daylight saving time ends. To disable DST, enter the following commands in the CLI:

config system global

set dst disable

end

To set the date and time
  1. Go to the System > Settings.
  2. Under System Time, select your Time Zone by using the drop-down menu.
  3. Set Time by either selecting Synchronize with NTP Server or Manual settings. If you select synchronization, you can either use the default FortiGuard servers or specify a custom server. You can also set the Sync interval.
  4. If you use an NTP server, you can identify a specific interface for this self-originating traffic by enabling Setup device as local NTP server.
  5. Select Apply.

Administration settings

In order to improve security, you can change the default port configurations for administrative connections to the FortiGate. When connecting to the FortiGate when the port has changed, the port must be included, such as https://<ip_address>:<port>. For example, if you are connecting to the FortiGate using port 99, the URL would be https://192.168.1.99:99.

To configure the port settings:
  1. Go to System > Settings.
  2. Under Administration Settings, change the port numbers for HTTP, HTTPS, SSH, and/or Telnet as needed. You can also select Redirect to HTTPS in order to avoid HTTP being used for the administrators.
  3. Select Apply.

When you change the default port number for HTTP, HTTPS, SSH, or Telnet, ensure that the port number is unique. If a conflict exists with a particular port, a warning message will appear.

By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone from using the GUI if the management PC is left unattended.

To change the idle timeout
  1. Go to System > Settings.
  2. In the Administration Settings section, enter the time in minutes in the Idle timeout field.
  3. Select Apply.

Password policy

The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password including:

  • minimum length between 8 and 64 characters.
  • if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
  • if the password must contain numbers (1, 2, 3).
  • if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )).
  • where the password applies (admin or IPsec or both).
  • the duration of the password before a new one must be specified.
To create a password policy - GUI
  1. Go to System > Settings.
  2. Configure Password Policy settings as required.
  3. Click Apply.

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.

For information about recovering a lost password and enhancements to the process, see the Fortinet knowledge base or Resetting a lost Admin password.

View settings

Three settings can change the presentation of information in the GUI: Language, Lines per page, and Theme.

To change the language, go to System > Settings. Select the language you want from the Language drop-down list: English (the default), French, Spanish, Portuguese, Japanese, Traditional Chinese, Simplified Chinese, or Korean. For best results, you should select the language that is used by the management computer.

To change the number of lines per page displayed in the GUI tables, set Lines per page to a value between 20 and 1,000. The default is 50 lines per page.

Five color themes are currently available: Green (the default), Red, Blue, Melongene, and Mariner. To change your theme, select the color from the Theme drop-down list.

This is also where you select either Flow-based or Proxy Inspection Mode . If you select Flow-based mode, then you need to specify if it is NGFW Profile-based or NGFW Policy-based inspection.

Administrator password retries and lockout time

By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three attempts to log into their account before locking the account for a set amount of time.

Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to enter a password again (admin-lockout-duration) can be configured within the CLI.

To configure the lockout options:

config system global

set admin-lockout-threshold <failed_attempts>

set admin-lockout-duration <seconds>

end

The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The admin-lockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.

Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the FortiGate.

Example:

To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five minute duration before the administrator can try to log in again, enter the commands:

config system global

set admin-lockout-threshold 1

set admin-lockout-duration 300

end

note icon

If the time span between the first failed login attempt and the admin-lockout-threshold failed login attempt is less than admin-lockout-duration, the lockout will be triggered.

CPU and memory thresholds

High CPU and memory use thresholds can be customized using the CLI.

To change the high CPU use threshold:
config system global
    set cpu-use-threshold <integer>
end

cpu-use-threshold <integer>

Threshold at which CPU use is reported, in percent (50 - 99, default = 90).

To change the memory use thresholds:
config system global
    set memory-use-threshold-extreme <integer>
    set memory-use-threshold-green <integer>
    set memory-use-threshold-red <integer>
end

memory-use-threshold-extreme <integer>

Threshold at which memory usage is considered extreme and new sessions are dropped, in percent of total RAM (70 - 97, default = 95).

memory-use-threshold-green <integer>

Threshold at which memory usage forces the FortiGate to exit conserve mode, in percent of total RAM (70 - 97, default = 82).

memory-use-threshold-red <integer>

Threshold at which memory usage forces the FortiGate to enter conserve mode, in percent of total RAM (70 - 97, default = 88).

System settings

There are several system settings that should be configured once your FortiGate is installed:

Default administrator password

By default, your FortiGate has an administrator account set up with the username admin and no password. In order to prevent unauthorized access to the FortiGate, it is highly recommended that you add a password to this account.

To change the default password:
  1. Go to System > Administrators.
  2. Edit the admin account.
  3. Select Change Password.
  4. Enter the New Password and re-enter the password for confirmation.
  5. Select OK.

For details on selecting a password and password best practices, see the section on Passwords.

It is also recommended to change the user name of this account; however, since you cannot change the user name of an account that is currently in use, a second administrator account will need to be created in order to do this.

For more information about creating and using administrator accounts, see the System administration chapter.

Settings

Settings can be accessed by going to System > Settings. On this page, you can change the Host name, set the system time and identify time zone in System Time, configure HTTP, HTTPS, SSH, and Telnet ports as well as idle timeout in Administration Settings, designate the Password Policy, and manage display options and designate inspection mode in View Settings.

Changing the host name

The host name of your FortiGate appears in the Hostname row in the System Information widget on the Dashboard. The host name also appears at the CLI prompt when you are logged in to the CLI, and as the SNMP system name.

To change the host name on the FortiGate

Go to System > Settings and type in the new name in the Host name row. The only administrators that can change a FortiGate’s host name are administrators whose admin profiles permit system configuration write access. If the FortiGate is part of an HA cluster, you should use a unique host name to distinguish the FortiGate from others in the cluster.

System time

For effective scheduling and logging, the FortiGate system time and date should be accurate. You can either manually set the system time and date or configure the FortiGate to automatically synchronize with a Network Time Protocol (NTP) server.

NTP enables you to keep the FortiGate time synchronized with other network systems. By enabling NTP on the FortiGate, FortiOS will check with the NTP server you select at the configured intervals. This will also ensure that logs and other time-sensitive settings on the FortiGate are correct.

The FortiGate maintains its internal clock using a built-in battery. At start up, the time reported by the FortiGate will indicate the hardware clock time, which may not be accurate. When using NTP, the system time might change after the FortiGate has successfully obtained the time from a configured NTP server.

note icon

By default, FortiOS has the daylight savings time configuration enabled. The system time must be manually adjusted after daylight saving time ends. To disable DST, enter the following commands in the CLI:

config system global

set dst disable

end

To set the date and time
  1. Go to the System > Settings.
  2. Under System Time, select your Time Zone by using the drop-down menu.
  3. Set Time by either selecting Synchronize with NTP Server or Manual settings. If you select synchronization, you can either use the default FortiGuard servers or specify a custom server. You can also set the Sync interval.
  4. If you use an NTP server, you can identify a specific interface for this self-originating traffic by enabling Setup device as local NTP server.
  5. Select Apply.

Administration settings

In order to improve security, you can change the default port configurations for administrative connections to the FortiGate. When connecting to the FortiGate when the port has changed, the port must be included, such as https://<ip_address>:<port>. For example, if you are connecting to the FortiGate using port 99, the URL would be https://192.168.1.99:99.

To configure the port settings:
  1. Go to System > Settings.
  2. Under Administration Settings, change the port numbers for HTTP, HTTPS, SSH, and/or Telnet as needed. You can also select Redirect to HTTPS in order to avoid HTTP being used for the administrators.
  3. Select Apply.

When you change the default port number for HTTP, HTTPS, SSH, or Telnet, ensure that the port number is unique. If a conflict exists with a particular port, a warning message will appear.

By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone from using the GUI if the management PC is left unattended.

To change the idle timeout
  1. Go to System > Settings.
  2. In the Administration Settings section, enter the time in minutes in the Idle timeout field.
  3. Select Apply.

Password policy

The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password including:

  • minimum length between 8 and 64 characters.
  • if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
  • if the password must contain numbers (1, 2, 3).
  • if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )).
  • where the password applies (admin or IPsec or both).
  • the duration of the password before a new one must be specified.
To create a password policy - GUI
  1. Go to System > Settings.
  2. Configure Password Policy settings as required.
  3. Click Apply.

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.

For information about recovering a lost password and enhancements to the process, see the Fortinet knowledge base or Resetting a lost Admin password.

View settings

Three settings can change the presentation of information in the GUI: Language, Lines per page, and Theme.

To change the language, go to System > Settings. Select the language you want from the Language drop-down list: English (the default), French, Spanish, Portuguese, Japanese, Traditional Chinese, Simplified Chinese, or Korean. For best results, you should select the language that is used by the management computer.

To change the number of lines per page displayed in the GUI tables, set Lines per page to a value between 20 and 1,000. The default is 50 lines per page.

Five color themes are currently available: Green (the default), Red, Blue, Melongene, and Mariner. To change your theme, select the color from the Theme drop-down list.

This is also where you select either Flow-based or Proxy Inspection Mode . If you select Flow-based mode, then you need to specify if it is NGFW Profile-based or NGFW Policy-based inspection.

Administrator password retries and lockout time

By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three attempts to log into their account before locking the account for a set amount of time.

Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to enter a password again (admin-lockout-duration) can be configured within the CLI.

To configure the lockout options:

config system global

set admin-lockout-threshold <failed_attempts>

set admin-lockout-duration <seconds>

end

The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The admin-lockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.

Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the FortiGate.

Example:

To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five minute duration before the administrator can try to log in again, enter the commands:

config system global

set admin-lockout-threshold 1

set admin-lockout-duration 300

end

note icon

If the time span between the first failed login attempt and the admin-lockout-threshold failed login attempt is less than admin-lockout-duration, the lockout will be triggered.

CPU and memory thresholds

High CPU and memory use thresholds can be customized using the CLI.

To change the high CPU use threshold:
config system global
    set cpu-use-threshold <integer>
end

cpu-use-threshold <integer>

Threshold at which CPU use is reported, in percent (50 - 99, default = 90).

To change the memory use thresholds:
config system global
    set memory-use-threshold-extreme <integer>
    set memory-use-threshold-green <integer>
    set memory-use-threshold-red <integer>
end

memory-use-threshold-extreme <integer>

Threshold at which memory usage is considered extreme and new sessions are dropped, in percent of total RAM (70 - 97, default = 95).

memory-use-threshold-green <integer>

Threshold at which memory usage forces the FortiGate to exit conserve mode, in percent of total RAM (70 - 97, default = 82).

memory-use-threshold-red <integer>

Threshold at which memory usage forces the FortiGate to enter conserve mode, in percent of total RAM (70 - 97, default = 88).