The FortiGate device must use LDAPS for the LDAP connection.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-234208	FGFW-ND-000245	SV-234208r611813_rule		High

Description
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Network devices can accomplish this by making direct function calls to encryption modules or by leveraging operating system encryption capabilities.

STIG	Date
Fortinet FortiGate Firewall NDM Security Technical Implementation Guide	2022-09-12

Details

Check Text ( C-37393r611811_chk )
Log in to the FortiGate GUI with Super-Admin privilege. 1. Open a CLI console, via SSH or available from the GUI. 2. Run the following command: # show full-configuration user ldap \| grep -i ldaps The output should be: set secure ldaps If set secure is not set to ldaps, this is a finding.

Fix Text (F-37358r611812_fix)
Log in to the FortiGate GUI with Super-Admin privilege. 1. Open a CLI console, via SSH or available from the GUI. 2. Run the following command: # config user ldap # edit {ldap_server_name} # set server {server_ip} # set cnid {cn} # set dn {dc=XYZ,dc=fortinet,dc=COM} # set type regular # set username {cn=Administrator,dc=XYA, dc=COM} # set password {bind password} # set secure ldaps # set ca-cert {CA certificate name} # next # end

Fix Text (F-37358r611812_fix)

Log in to the FortiGate GUI with Super-Admin privilege.

1. Open a CLI console, via SSH or available from the GUI.
2. Run the following command:
# config user ldap
# edit {ldap_server_name}
# set server {server_ip}
# set cnid {cn}
# set dn {dc=XYZ,dc=fortinet,dc=COM}
# set type regular
# set username {cn=Administrator,dc=XYA, dc=COM}
# set password {bind password}
# set secure ldaps
# set ca-cert {CA certificate name}
# next
# end