2. Users Management

2.1 Ensure Sessions Timeout is set to less than or equal to 10 minutes

Description:

The session inactivity timeout setting represents the amount of time a user can be inactive before the user's session times out and closes. It only affects user browser sessions.

Rationale:

Indefinite or even long session timeout window increase the risk of attackers abusing abandoned sessions

Audit:

In the GUI:

- Navigate to System > User Manager
- Click the Setting at the top.
- Check on the 'Session Timeout' field.

Default Value: Username listed will be: 'admin'

Remediation:

In the GUI:

- Navigate to System > User Manager
- CLIck the Setting at the top.
- set 10 in the 'Session Timeout' field.
- Click Save

CIS Controls:

2.2 Ensure LDAP or RADIUS server configured

Description:

Configured the LDAP Servers or Radius server for central authentication.

Rationale:

Authentication, authorization and accounting (AAA) scheme provide an authoritative source for managing and monitoring access for devices.

Audit:

In the GUI:

- Navigate to System > User Manager.
- CLIck the Authentication Servers at the top.
- Check "Authentication Servers" Setting

Default Value: Local Database

Remediation:

In the GUI:

- Navigate to System > User Manager.
- CLIck the Authentication Servers at the top.
- Configure "Authentication Servers" Setting

CIS Controls:

2.3 Ensure Console Menu is Password Protected

Description:

Set the Console Menu to password protected.

Rationale:

An unattended computer with an open Console Menu session to the device could allow an unauthorized user access to the firewall’s management.

Audit:

- Navigate to System > Advanced > Admin Access.
- Check "Console Options" Setting

Default Value: 'Console menu' will be unchecked

Remediation:

In the GUI:

- Navigate to System > Advanced > Admin Access.
- Set "Console Options" Setting
- CLIck "Save"

CIS Controls:

2.4 Ensure all default accounts are either disabled or utilize strong passwords

Description:

Disable the known default accounts configured. Note: The default admin account must remain enabled for high availability synchronization to work. Disabling it could cause issues.

Rationale:

Default accounts are accounts with predefined usernames and passwords that are typically included with software and hardware devices. Attackers often target default accounts because they are widely known and can be used to gain unauthorized access to a system. To prevent unauthorized access, all default accounts should either be disabled or have their passwords changed.

Audit:

In the GUI:

- Navigate to System > User Manager > Users
- View the default users

Default Value: 'admin' is the only default user

Remediation:

In the GUI:

- Navigate to System > User Manager > Users
- Remove any default users that are not used.

Note: The default admin account must remain enabled for high availability synchronization to work. Disabling it could cause issues.

Additional Information:

The known default accounts are often (without limiting to) the following: 'admin', 'guest', 'user', 'root', 'administrator', 'operator', 'supervisor', and 'demo'. It is important to change the passwords of these accounts to prevent attackers from using them to gain unauthorized access to the system. The use of strong, unique passwords for all user accounts is also recommended to further enhance security.

CIS Controls: