Information
Configure a pre-login banner, ideally approved by the organization's legal team. This banner should, at minimum, prohibit unauthorized access, provide notice of logging or monitoring, and avoid using the word 'welcome' or similar words of invitation.
Rationale:
Through a properly stated login banner, the risk of unintentional access to the device by unauthorized users is reduced. Should legal action take place against a person accessing the device without authorization, the login banner greatly diminishes a defendant's claim of ignorance.
Impact:
Login banners provide a definitive warning to any possible intruders that may want to access the FortiGate that certain types of activity are illegal, but at the same time, it also advises the authorized and legitimate users of their obligations relating to acceptable use.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Run the following command in the CLI to enable the pre-login-banner:
FG1 # config system global
FG1 (global) # set pre-login-banner enable
FG1 (global) # end
FG1 #
In the GUI, to edit the content of the pre-login disclaimer message:
go to 'System' -> 'Replacement Messages' -> 'Extended View' -> 'Pre-login Disclaimer Message'. The edit screen is on the bottom right corner of the page. Click on 'Save' after the editing is done.
Default Value:
the 'Pre-Login Banner' is disabled by default
FG1 # config system global
FG1 (global) # show
config system global
...
set pre-login-banner disable
...
end
the warning message default value is as follows:
PRE WARNING:
This is a private computer system. Unauthorized access or use
is prohibited and subject to prosecution and/or disciplinary
action. All use of this system constitutes consent to
monitoring at all times and users are not entitled to any
expectation of privacy. If monitoring reveals possible evidence
of violation of criminal statutes, this evidence and any other
related information, including identification information about
the user, may be provided to law enforcement officials.
If monitoring reveals violations of security regulations or
unauthorized use, employees who violate security regulations or
make unauthorized use of this system are subject to appropriate
disciplinary action.