System Settings

There are several system settings that should be configured once your FortiGate is installed:

Default administrator password

By default, your FortiGate has an administrator account set up with the username admin and no password. In order to prevent unauthorized access to the FortiGate, it is highly recommended that you add a password to this account.

To change the default password:
  1. Go to System > Administrators.
  2. Edit the admin account.
  3. Select Change Password.
  4. Leave Old Password blank, enter the New Password and re-enter the password for confirmation.
  5. Select OK.

 

For details on selecting a password and password best practices, see Passwords in Getting Started.

It is also recommended to change the user name of this account; however, since you cannot change the user name of an account that is currently in use, a second administrator account will need to be created in order to do this. For more information about creating and using administrator accounts, see the Administrators section of this guide.

Settings

Settings can be accessed by going to System > Settings. On this page, you can designate the centralized security management for your FortiGate in Central Management, configure HTTP, HTTPS, SSH, and Telnet ports as well as idle timeout in Administration Settings,designate the Password Policy, and manage display options in View Settings.

Central Management

You can manage any size Fortinet security infrastructure, from a few devices to thousands of appliances, by using FortiManager or FortiCloud. You can configure your FortiGate for either of these centralized security management services through Central Management. Be sure that you have registered your device with the FortiManager appliance or FortiCloud host. For more information on configuring your FortiGate for Central Management, see Adding a FortiGate to FortiManager or FortiCloud.

Administration settings

In order to improve security, you can change the default port configurations for administrative connections to the FortiGate. When connecting to the FortiGate when the port has changed, the port must be included, such as https://<ip_address>:<port>. For example, if you are connecting to the FortiGate using port 99, the url would be https://192.168.1.99:99.

To configure the port settings:
  1. Go to System > Settings.
  2. Under Administration Settings, change the port numbers for HTTP, HTTPS, Telnet, and / or SSH as needed. You can also select Redirect to HTTPS in order to avoid HTTP being used for the administrators.

When you change to the default port number for HTTP, HTTPS, Telnet, or SSH, ensure that the port number is unique. If a conflict exists with a particular port, a warning message will appear.

Idle timeout

By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone from using the GUI if the management PC is left unattended.

To change the idle timeout
  1. Go to System > Settings.
  2. In the Administration Settings section, enter the time in minutes in the Idle Timeout field.
  3. Select Apply.

Password Policy

The FortiGate includes the ability to create a password policy for administrators. With this policy, you can enforce regular changes and specific criteria for a password including:

  • minimum length between 8 and 64 characters.
  • if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
  • if the password must contain numbers (1, 2, 3).
  • if the password must contain non-alphanumeric characters (!, @, #, $, %, ^, &, *, ().
  • where the password applies (admin or IPsec or both).
  • the duration of the password before a new one must be specified.
To create a password policy - GUI
  1. Go to System > Settings.
  2. Select Enable Password Policy and configure the settings as required.

 

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.

For information about recovering a lost password and enhancements to the process, see: Resetting a lost Admin password on the Fortinet Cookbook site.

View Settings

Three settings can change the presentation of information in the GUI: language, lines per page, and theme.

The default language of the GUI is English. To change the language, go to System > Settings. Select the language you want from the Language drop-down list. For best results, you should select the language that is used by the management computer.

To change the number of lines per page displayed in the GUI tables, set Lines Per Page to a value between 20 and 1,000. The default is 50 lines per page.

Five color themes are currently available: green (the default), red, blue, melongene, and mariner. To change your theme, select the color from the Theme drop-down list.

Time and date

For effective scheduling and logging, the FortiGate system time and date should be accurate. You can either manually set the system time and date or configure the FortiGate to automatically synchronize with a Network Time Protocol (NTP) server.

The Network Time Protocol enables you to keep the FortiGate time in sync with other network systems. By enabling NTP on the FortiGate, FortiOS will check with the NTP server you select at the configured intervals. This will also ensure that logs and other time-sensitive settings on the FortiGate are correct.

The FortiGate maintains its internal clock using a built-in battery. At start up, the time reported by the FortiGate will indicate the hardware clock time, which may not be accurate. When using NTP, the system time might change after the FortiGate has successfully obtained the time from a configured NTP server.

note icon By default, FortiOS has the daylight savings time configuration enabled. The system time must be manually adjusted after daylight saving time ends. To disable DST, enter the following command in the CLI:



config system global

     set dst disable

end
To set the date and time
  1. Go to the Dashboard and locate the System Information widget.
  2. Beside System Time, select Change.
  3. Select your Time Zone.
  4. Under SetTime, either select Synchronize with NTP Server, or select Manual settings and manually set the system date and time. If you select synchronization, you can either use the default FortiGuard servers or specify a different server. You can also set the Sync Interval.
  5. Select OK.

 

If you use an NTP server, you can identify a specific port / IP address for this self-originating traffic. The configuration is performed in the CLI with the command set source-ip. For example, to set the source IP of NTP to be on the DMZ1 port with an IP of 192.168.4.5, the commands are:

config system ntp

set ntpsyn enable

set syncinterval 5

set source-ip 192.168.4.5

end

Administrator password retries and lockout time

By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three attempts to log into their account before locking the account for a set amount of time (by default, 60 seconds).

The number of attempts can be set to an alternate value, as well as the default wait time before the administrator can try to enter a password again. You can also change this to deter would-be hackers. Both settings are must be configured with the CLI

To configure the lockout options:

config system global

set admin-lockout-threshold <failed_attempts>

set admin-lockout-duration <seconds>

end

 

For example, to set the lockout threshold to one attempt and a five minute duration before the administrator can try again to log in enter the commands:

config system global

set admin-lockout-threshold 1

set admin-lockout-duration 300

end

Changing the host name

The host name of your FortiGate appears in the Host Name row in the System Information widget. The host name also appears at the CLI prompt when you are logged in to the CLI and as the SNMP system name.

To change the host name on the FortiGate, in the System Information widget, select Change in the Host Name row. The only administrators that can change a FortiGate’s host name are administrators whose admin profiles permit system configuration write access. If the FortiGate is part of an HA cluster, you should use a unique host name to distinguish the FortiGate from others in the cluster.