Configuring authenticated access

To change administrator password minimum requirements – CLI:

config system password-policy set status enable

set apply-to admin-password set min-upper-case-letter 2 set min-lower-case-letter 4 set min-number 2

set min-non-alphanumeric 1

set change-4-characters enable end


The change-4-characters option forces new passwords to change a minimum of four characters in the old password. Changing fewer characters results in the new password being rejected. This option is only available in the CLI.


Password best practices

In addition to length and complexity, there are security factors that cannot be enforced in a policy. Guidelines issued to users will encourage proper password habits.

Best practices dictate that password expiration also be enabled. This forces passwords to be changed on a regular basis. You can set the interval in days. The more sensitive the information this account has access to, the shorter the password expiration interval should be. For example 180 days for guest accounts, 90 days for users, and 60 days for administrators.


  • real words found in any language dictionary
  • numeric sequences, such as “12345”
  • sequences of adjacent keyboard characters, such as “qwerty”
  • adding numbers on the end of a word, such as “hello39”
  • adding characters to the end of the old password, such as “hello39” to “hello3900”
  • repeated characters
  • personal information, such as your name, birthday, or telephone number.


Maximum logon attempts and blackout period

When you logon and fail to enter the correct password you could be a valid user, or a hacker attempting to gain access. For this reason, best practices dictate to limit the number of failed attempts to logon before a blackout period where you cannot logon.

To set a maximum of five failed authentication attempts before the blackout, using the following CLI command:

config user setting

set auth-invalid-max 5 end

To set the length of the blackout period to five minutes, or 300 seconds, once the maximum number of failed logon attempts has been reached, use the following CLI command:

config user setting

set auth-blackout-time 300 end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.