2.4.5 Ensure only encrypted access channels are enabled

Information

Allow only HTTPS access to the GUI and SSH access to the CLI.

By only allowing encrypted access, we are making it harder to use "Man in the Middle" attacks to sniff login credentials.

Solution

If HTTP or Telnet is in the allowaccess list, you will have to set that list again with the same elements except for http or telnet.

On CLI:

FG1 # config system interface
FG1 (interface) # edit port1
FG1 (port1) # set allowaccess ssh https ping snmp
FG1 (port1) # end
FG1 #

In the web GUI, click on:

1. Network > Interfaces, select the interface and click "Edit".
2. In the interface setting page, uncheck HTTP and Telnet in the section "Administrative Access".

See Also

https://workbench.cisecurity.org/benchmarks/15284

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|4.5

Plugin: FortiGate

Control ID: 9249ce5ad8cbcc41b9837502dc5f06bc51afb0cb6d8645d5114b92b751d9ea6c