2.2.1 Ensure 'Password Policy' is enabled

Information

It is important to use secure and complex passwords for preventing unauthorized access to the FortiGate device.

Attackers can use brute force password software to launch more than just dictionary attacks. Such attacks can discover common passwords where a letter is replaced by a number or symbol.

Solution

Can be modified from CLI or GUI.

From CLI, do the following:

config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 8
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end

Or from GUI, do the following:

1) Log in to FortiGate as Super Admin
2) Go to 'System' > 'Settings'
3) Find the 'Password Policy' section
4) Default 'Password scope' is 'Off', change it to 'Both'
5) set 'Minimum length' to '8'
6) Enable 'Character requirements'
7) set minimum '1' in the filed of 'Upper Case', 'Lower Case', 'Numbers (0-9)' and 'Special'
8) Disable 'Allow password reuse'
9) Enable 'Password expiration' and set it to 90

Impact:

Weak passwords can be easily discovered by hackers, which leads to unauthorized access to FortiGate. Depending on the access privilege of the compromised account, the attacker may modify important settings.

See Also

https://workbench.cisecurity.org/benchmarks/15284

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: FortiGate

Control ID: fed3cfa592266b2b1c951adb982948a5c33c3e8c1f6e681d7def229992580b99