What tips and tricks about security hardening do you have? Post them below!

That was really a concise package of Fortigate security hardnening.. Your videos are really helpful for me.. Great work man.

Nice. I’m new to fortigate and this was great. Lead architect and customer will be happy with these simple hardening changes.

One tip that comes to mind is create and use geographical address objects. For example, if your company is based in the States, create a geo-usa address object and attach it to your incoming SSL-VPN connection policy so that only IP addresses from the geographical USA are allowed. This is also good for DMZ servers that should only be accessed from within a geographical region.

I have another tip for you: Change the self-signed certificate!!! Fortinet has the device serial number in it's certificate. If you have a partner-account with Fortinet, you'll be able to look up the status of it's support and licensing. If it expired 6 months ago, you'll have 6 months of zero-days the Fortinet-appliance will never detect. It's easy to do in 5 minutes. I used to give this to my students as an extra assignment if they had to wait for the rest of class to finish their other assignments. Better not to use the admin-port on the internet, but that's not always an option. Changing the certificate is.

great info! i'm a sonicwall guy, but still watch all your videos as things such as this cross-over. luckily i was already doing everything you mentioned and constantly review my configs.

Excellent content as always Mike!

The two built-in free FortiToken are very helpful.Thanks for the video.

Nice one!

Love the videos Mike. You break the steps down into layman's terms and it's made understanding concepts much easier. In regard to port 541 for Fgm access, is there a way to restrict this to forticloud ips? I assume by editing local in policies via cli. Find it odd they would leave 541 unrestricted for the mgmt from forticloud

Great video!! Nice new improvements overall (tooltips) 👍

Good stuff...thanks !!

Nice bro

Great videos, will you do a troubleshooting video using the fortinet tools in the future? Like the packet capture, debug flow and packet sniffer... Others may not know how easy it is to troubleshoot from there own device.

you are awesome

Great video Can you make a video about policy setup on fortinet when domain member PC is required in DMZ zone. How do you set it up and which traffic do you pass from DMZ ->INSIDE

I try to use Geolocation objects to scope access to 1) Internet facing websites (i.e. the ticketing system for a regional business doesn't need access from IP addresses sourced from Asia), 2) the remote access VPN, 3) HTTPS/SSH access if it must be available on the WAN interface. While an attacker could easily proxy through a US VPN to get around this, no sense in making it too easy for them.

Is there a way to add an address object to trusted hosts? I have done this on other firewalls, Sonicwalls recently, and it makes it much easier for "future proofing"

Is it possible to configuring the maximum log in attempts and lockout period from the gui? 6.4.9 ?

Hi Guru, urgently need help. I have convert config from McAfee to fortifate used by forticonvertor however not able to export config. I don't have licence for forticonvertor. Is there another way to do it.

Hey, I have problem with fortigate... Its brand new and when I just add security profile to my policy whole company cant acces office 365 :( they have certificate error for office things. Pls help

hello... i need one help please..... i have 1 ill with 5 static ip's provided by isp... how do i utilize all the ips as redundant... 2nd question is if we have 2 different isp's then we want to use both the isp in sdwan / isp groupings with one single virtual ip as fail over(means ISP "A" goes down traffic should flow with ISP "B" with minimal disruption to link) please advice as i'm new to this form.. thank you

I generally don't delete admin or root accounts. If you can''t rename it give it a very long password and then disable the account. I always create a new admin account using a completely different name so hackers can't guess it. On Linux servers make sure root don't have the ability to log into ssh.

(7:55) why not just rename admin in first place? why create new_account + use new_account and delete orig_admin?

How about setting up a VIP and port on the WAN interface for the LAN interface, then you can create a policy that allows specific IPs to hit the VIP ports for ssh and https access? Then you can disable all management protocols on the WAM interface. Thoughts?

I see 2 IP addresses that are hitting my firewall from outside that I want to block how will I do that?

I never administer using SSH or HTTPS, those are disabled. If I want to administer, I first connect via VPN.

Obscurity is not security