Chapter 7 – PCI DSS Compliance

Password complexity and change requirements

By default, the FortiGate unit admin account has no password. Be sure to define a password. PCI DSS password requirements are:

  • Require a minimum length of at least seven characters. (8.2.3)
  • Contain both numeric and alphabetic characters. (8.2.3)
  • Change user passwords/passphrases at least every 90 days. (8.2.4)


To facilitate creation of compliant administrator passwords, you can set a password policy. Go to Syste> Settings Select Enable Password Policy, enter the following and then select Apply.

The password policy does not apply to user passwords. Both password complexity and password expiry for users would need to addressed by making them a policy in your organization.

Minimum Length                       8 or more. (Field does not accept a value less than 8.)

Must Contain

At minimum, set a required number of Numerical Digits and either

Upper Case Letters or Lower Case Letters.

Also setting a required number of Non-alphabetic Letters is acceptable.

Apply Password Policy to       Select Administrator Password.

Enable Password Expir- ation

Set to 90 days or less. The default is 90 days.



Password non-reuse requirement

PCI DSS requires that passwords are not re-used to satisfy the change requirement:

  • Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. (8.2.5)

FortiGate users don’t set their own passwords. The super_admin administrators can and so can admins with appropriate access. There is, however, no FortiGate-based mechanism to limit re-use of passwords.


Administrator lockout requirement

PCI DSS requires a user account lockout for administrators to guard against unauthorized access attempts:

  • Limit repeated access attempts by locking out the administrator after not more than six attempts. (8.1.6),
  • Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. (8.1.7) You can meet these requirements with the following CLI commands:

config system global

set admin-lockout-threshold 6 set admin-lockout-duration 1800


The threshold can be less than 6 and the lockout duration can be more than 1800.


Administrator timeout requirement


PCI DSS requires:

  • If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. (8.1.8) By default, the idle timeout is five minutes. You can go to System > Settings and change the Idle Timeout timeout to any value up to the permitted value of 15 minutes.
This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.