2.4.7 Ensure default Admin ports are changed

Information

FortiGate admin ports listen on the common ports of 80 and 443. This is default behavior. While interface access is controlled by configuring network interfaces, the FortiGate still listens on the admin ports that have been configured, which can also cause a conflict should 80 or 443 be needed as part of additional configuration later on.

To increase security of the FortiGate Admin Ports, changing it from the default ports will reduce the attack surface should FortiGate Admin Access be targeted. As mentioned, a possible port conflict can also be avoided.

Solution

config system global
set admin-https-redirect disable
set admin-port 8082 **(or any other uncommon port)**
set admin-server-cert "self-sign"
set admin-sport 4343 **(or any other uncommon port)**
end

OR

From Web GUI:

1. System > Settings
2. Change the ports/settings under 'Administration Settings' section.

NOTE: https redirection must be turned off as well as changing port 80. This is due to the nature of how browser port redirection works. The browser will be redirected from port 80 to port 443 or whichever 'admin-sport' is configured, meaning that it will still listen on port 80 even when the port has been reconfigured.

Impact:

Unauthorized access to a FortiGate or any firewall could prove very costly. While this is a single hardening step of many, it is an important one when hardening any firewall.

See Also

https://workbench.cisecurity.org/benchmarks/15284

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, MEDIA PROTECTION, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|MP-2, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|9.2, CSCv7|9.4

Plugin: FortiGate

Control ID: db5a187fe9009b122bf52bba933c8116477207766dcbadee0af23a83370c9040