How to Strengthen Your FortiGate
When purchasing a UTM-Firewall, the default settings are usually not enough to prevent your Firewall from getting hijacked. Outlined below is a few steps you can take to effectively prevent malicious access to your Firewall.
Put the FortiGate unit a physically secure location.
Providing a secure location for your networking equipment can prevent not only malicious actors from disrupting your network but also accidental as well. Depending on your level of security compliance (HIPAA, PIC or Sarbanes-Oxley)
Ensure your device is configured with the latest provided version of Firmware
Staying up-to-date on the periodical updates FortiGate provides will allow you to mitigate against the latest 0-days and released exploits.
Disable external admistrative access
A good way to prevent un-authorized access is only to allow administration internally. A good way to bypass the local limitation is by setting up an SSL-based VPN. That way you can protect your network against external actors and also have the flexibility of not needing to be on-site everytime you want to make a change.
To disable admistrative access, head to Network then Interfaces and edit the interface to disable HTTPS, PING, HTTP, SSH, and TELNET under Administrative Access.
Disable auto installation via USB
Although most security experts say that if an attacker has physical access then the jig is up, you can still prevent unauthorized firmware installation via USB. To do so, execute these commands via CLI:
config system auto-install
set auto-install-config disable
set auto-install-image disable
Configure logging and auditing for signs of intrusion and probing.
Logging is a good step across any hardware used for network administration. To do so, go to Log & Report and then Log Settings. You can configure alert emails to be triggered for certain events.