This article describes how to meet the standards of Fortinet Security Best Practice (FSBP) SH01.1 and SH01.2, which recommend disabling Telnet and HTTP administrative access on the interfaces.
Scope
FortiGate.
Solution
The Security Posture section of FortiGate Security Rating includes FSBP SH01.1 and SH01.2. This section can be found under Security Fabric > Security Rating.
The following screenshots show a failure to meet the standards of FSBP SH01.1 and FSBP SH01.2:
- FSBP SH01.1 recommends disabling Telnet administrative access on the interfaces, which are categorized as ‘WAN’ and present in a firewall policy.
- FSBP SH01.2 recommends disabling HTTP administrative access on the interfaces that are present in a firewall policy.
Telnet and HTTP both are unsecured and outdated protocols that lack encryption and use plaintext to transmit data. This makes these protocols vulnerable to various attacks. Best practices recommend-using HTTPS and SSH instead of HTTP and Telnet, as the former provides enhanced security.
There are two ways to meet these requirements:
Step 1: Select the Apply button under Recommendations as shown in the screenshots below. This will disable the administrative access automatically on the listed interfaces without any need for manual configuration.
Step 2: Manually disable these protocols in administrative access on the listed interfaces.
- In the web GUI navigate to Network > Interfaces.
- Select and edit the interface.
- Uncheck HTTP and TELNET under Administrative Access.
After making either of the above changes to meet this requirement, navigate to Security Fabric > Security Rating and select ‘Run Now’ under ‘Report details’. This will generate a new security rating report, which will include the new result for FSBP SH01.1 and SH01.2 as shown in the following screenshot:
To disable Telnet globally on the FortiGate, follow the steps in Technical Tip: Administrative access – disable Telnet permanently.