2.1.1 Ensure 'Pre-Login Banner' is set - warning message

Information

Configure a pre-login banner, ideally approved by the organization's legal team. This banner should, at minimum, prohibit unauthorized access, provide notice of logging or monitoring, and avoid using the word 'welcome' or similar words of invitation.

Rationale:

Through a properly stated login banner, the risk of unintentional access to the device by unauthorized users is reduced. Should legal action take place against a person accessing the device without authorization, the login banner greatly diminishes a defendant's claim of ignorance.

Impact:

Login banners provide a definitive warning to any possible intruders that may want to access the FortiGate that certain types of activity are illegal, but at the same time, it also advises the authorized and legitimate users of their obligations relating to acceptable use.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Run the following command in the CLI to enable the pre-login-banner:

FG1 # config system global
FG1 (global) # set pre-login-banner enable
FG1 (global) # end
FG1 #

In the GUI, to edit the content of the pre-login disclaimer message:

go to 'System' -> 'Replacement Messages' -> 'Extended View' -> 'Pre-login Disclaimer Message'. The edit screen is on the bottom right corner of the page. Click on 'Save' after the editing is done.

Default Value:

the 'Pre-Login Banner' is disabled by default

FG1 # config system global

FG1 (global) # show

config system global

...

set pre-login-banner disable

...

end

the warning message default value is as follows:

PRE WARNING:

This is a private computer system. Unauthorized access or use

is prohibited and subject to prosecution and/or disciplinary

action. All use of this system constitutes consent to

monitoring at all times and users are not entitled to any

expectation of privacy. If monitoring reveals possible evidence

of violation of criminal statutes, this evidence and any other

related information, including identification information about

the user, may be provided to law enforcement officials.

If monitoring reveals violations of security regulations or

unauthorized use, employees who violate security regulations or

make unauthorized use of this system are subject to appropriate

disciplinary action.

See Also

https://workbench.cisecurity.org/files/4077