Chapter 11 – Hardening

Install the FortiGate unit in a physically secure location

A good place to start with is physical security. Install the FortiGate unit in a secure location, such as a locked room or a room with restricted access. This way unauthorized users can’t get physical access to the device.

If unauthorized users have physical access they can disrupt your entire network by disconnecting your FortiGate unit (either by accident or on purpose). They could also connect a console cable and attempt to log into the CLI. Also, when a FortiGate unit reboots, a person with physical access can interrupt the boot process and install different firmware.


Maintain the firmware

On installation of a new firewall, it is necessary to update the firmware to the latest version provided by the manufacturer.

Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues. After you have registered your FortiGate unit, you can download firmware updates from the support web site,

Before you install any new firmware, be sure to follow the steps below:

  • Review the Release Notes for a new firmware release.
  • Review the Supported Upgrade Paths document to make sure the upgrade from your current image to the desired new image is supported.
  • Backup the current configuration, including local certificates.
  • Test the new firmware until you are satisfied that it applies to your configuration.


Installing new firmware without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues.

Only FortiGate admin users and administrators whose access profiles contain system read and write privileges can change the FortiGate firmware.


Add new administrator accounts

Rather than allowing all administrators to access the FortiGate unit with the admin administrator account you should create administrator accounts for each person that requires administrative access. That way you can track who has made configuration changes and performed other administrative activities. Keep the number of administrative accounts to a minimum to keep better control on who can access the device.

To add administrators go to System > Admin Profiles and select Create New.

If you want administrators to have access to all FortiGate configuration options, their accounts should have the prof_admin admin profile. Administrators with this profile can do anything except add new administrator accounts.

At least one account should always have the super_admin profile as this profile is required to add and remove administrators. To improve security only a very few administrators (usually one) should be able to add new administrators.

If you want some administrator accounts to have limited access to the FortiGate configuration you can create custom admin profiles that only allow access to selected parts of the configuration. To add custom admin profiles, go to System > Admin Profiles and select Create New.

For example, if you want to add an admin profile that does not allow changing firewall policies, when you configure the admin profile set Firewall Configuration to None or Read Only.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.