2.2 System Configuration & FortiGuard
Key Takeaways
- FortiGate ships with the default admin account named admin (no password); the default GUI port is HTTPS 443 and the default CLI port is SSH 22.
- Administrative access per interface is controlled by the allowaccess list (HTTPS, SSH, PING, SNMP, FMG-Access) — restricting it is a core hardening step.
- Administrator profiles (access profiles) define read/write permissions; the built-in super_admin profile grants full control and is assigned to the default admin account.
- Firmware should follow the Fortinet supported upgrade path one major version at a time; configuration backups can be encrypted and restored from GUI or CLI.
- FortiGuard subscription services (antivirus, IPS, web/DNS filtering, application control) are licensed per device and pulled from the FortiGuard Distribution Network.
Initial Setup and Administrative Access
A new FortiGate ships with a default administrator account named admin that has no password — changing this password is the first hardening step. The web GUI is reached over HTTPS on port 443 by default, and the CLI is reached over SSH on port 22. Out of the box, a designated port (often port1 or a dedicated mgmt interface) has a factory IP such as 192.168.1.99.
Each FortiGate interface has an allowaccess list that controls which management protocols are permitted on that interface. Common values include:
| Protocol | Purpose |
|---|---|
| HTTPS | Web GUI administration (TLS) |
| HTTP | Web GUI (insecure; redirects to HTTPS) |
| SSH | Encrypted CLI access |
| TELNET | Plaintext CLI (insecure; avoid) |
| PING | ICMP echo for reachability testing |
| SNMP | Monitoring via SNMP polling |
| FMG-Access | Allows FortiManager to manage the device |
| FABRIC | Security Fabric communication |
Hardening best practice is to remove HTTP and TELNET, limit HTTPS/SSH to management interfaces only, and use trusted host restrictions on admin accounts so administration is allowed only from specific source IP ranges.
DNS and System Time
The FortiGate needs working DNS to resolve FortiGuard servers, FQDN address objects, and update servers; primary and secondary DNS servers are set under system DNS settings. System time should be synchronized using NTP (Network Time Protocol) — accurate time is essential for valid log timestamps, certificate validation, and scheduled policies. Time and NTP settings are configured under System > Settings in the GUI.
Administrator Accounts and Profiles
Administrator accounts can authenticate locally (password stored on the FortiGate) or against a remote server (RADIUS, LDAP, or TACACS+). Each account is bound to an administrator profile (also called an access profile) that defines what the administrator can see and change.
super_admin— A built-in profile granting full read/write access to every part of the configuration. The defaultadminaccount uses this profile. It cannot be edited or deleted.- Custom profiles — Administrators can create profiles that grant read-only, read-write, or none access per feature area (firewall, VPN, system, logging, etc.), supporting role-based delegation.
Additional account controls include trusted hosts (restricts the source IPs an admin can connect from), two-factor authentication, idle timeout, and password policy enforcement.
Firmware Upgrade Path
FortiOS firmware should be upgraded following the Fortinet supported upgrade path — you generally upgrade one major version at a time (for example 7.2 to 7.4 to 7.6) rather than jumping multiple versions, because skipping versions can corrupt the configuration migration. Always read the release notes, confirm hardware support, and back up the configuration before upgrading. Downgrading firmware typically resets the device to factory defaults, so a backup is critical.
Configuration Backup and Restore
The full FortiGate configuration can be backed up to a file from the GUI (System dashboard) or the CLI (execute backup config). Key points:
- Backups can be plain text or encrypted with a password; an encrypted backup can only be restored to a device using the same password.
- An unencrypted backup from one model generally cannot be restored to a different model.
- The configuration revision feature stores multiple saved revisions on the device (or on FortiManager), allowing quick rollback after a change.
- Restoring a configuration usually requires a reboot.
FortiGuard Subscription Services
FortiGuard is Fortinet's threat-intelligence and update service. Security features depend on FortiGuard subscription licenses activated per device. Major services include:
| FortiGuard Service | What It Provides |
|---|---|
| Antivirus / Antimalware | Virus and malware signatures for the AV engine |
| Intrusion Prevention (IPS) | Attack and exploit signatures for the IPS engine |
| Web Filtering | URL category ratings for web filter profiles |
| DNS Filtering | Domain category ratings applied at the DNS layer |
| Application Control | Application signatures for traffic identification |
| Antispam / Email Filtering | Spam and email reputation data |
The FortiGate downloads signature packages and queries live ratings from the FortiGuard Distribution Network (FDN). Signature package updates (AV, IPS, app control) are pulled on a schedule or pushed by FortiGuard, while web and DNS rating lookups are real-time queries cached locally. All FortiGuard traffic is sent from the management VDOM, so its internet path and DNS must be working. The license status and last update time are visible on the FortiGuard settings page; an expired license stops updates and rating lookups.
An administrator wants to ensure that the FortiGate web GUI can only be reached from the dedicated management interface and never over plaintext protocols. Which configuration achieves this?
Which statement about FortiGate firmware upgrades is correct?
A FortiGate is failing to receive antivirus and IPS signature updates and cannot resolve FortiGuard servers, even though user VDOMs have working internet access. What is the most likely cause?