2.4.1 Ensure default 'admin' password is changed

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Before deploying any new FortiGate, it is important to change the password of the default admin account.

It is also recommended that you change even the user name of the default admin account; however, since you cannot change the user name of an account that is currently in use, a second administrator account must be created in order to do this.

Rationale:

Default credentials are well documented by most vendors including Fortinet. Therefore, it will be one of the first things that will be tried to illegally gain access to the system.

Impact:

if not changed, then any scripts that use default credentials will be able to access the system.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

In the CLI, to change the password of account 'admin'

FG1 # config system admin
FG1 (admin) # edit 'admin'
FG1 (admin) # set password <your passwords>
FG1 (admin) # end
FG1 #

To change the default password in the GUI:

1) Login to FortiGate with admin account
2) Go to System > Administrators.
3) Edit the admin account.
4) Click Change Password.
5) If applicable, enter the current password in the Old Password field.
6) Enter a password in the New Password field, then enter it again in the Confirm Password field.
7) Click OK.

Default Value:

By default, your FortiGate has an administrator account set up with the username admin and no password. In order to prevent unauthorized access to FortiGate, it is highly recommended that you add a password to this account.

Username: admin The default admin account does not have any password. Just leave it blank

See Also

https://workbench.cisecurity.org/files/4077