Fortinet 609 FortiWeb 5.0 Patch 6 Administration Guide
would prevent an attacker with physical access from connecting a cable to port4 and
thereby gaining access if the configuration inadvertently allows it.
Define the IP addresses of other trusted load balancers or web proxies to prevent spoofing
of HTTP headers such as X-Forwarded-For: and X-Real-IP: (see “Defining your
proxies, clients, & X-headers” on page 266).
Administrator access
As soon as possible during initial FortiWeb setup, give the default administrator, admin, a
password. This super-administrator account has the highest level of permissions possible,
and access to it should be limited to as few people as possible.
Change all administrator passwords regularly. Set a policy — such as every 60 days — and
follow it. (Click the Edit Password icon to reveal the password dialog.)
Figure 70:Edit Password dialog in System > Admin > Administrators
Instead of allowing administrative access to the FortiWeb appliance from any source, restrict
it to trusted internal hosts. (IPv6 entries of ::/0 will be ignored, but you should configure all
IPv4 entries.) See “Trusted hosts” on page 51. On those computers that you have
designated for management, apply strict patch and security policies. Always
password-encrypt any FortiWeb configuration backup that you download to those
computers to mitigate the information that attackers can gain from any potential
compromise. See “Encryption Password” on page 209.