Administrator Access; Operator Access; Optimizing Performance - Fortinet FortiRecorder 7.0.0 Administration Manual

Best practices

Administrator access

As soon as possible during initial FortiRecorder setup, give the default administrator, "admin", a password. This
l
super-administrator account has the highest level of permissions possible, and access to it should be limited to as
few people as possible. See
Administrator passwords should be at least 8 characters long and include both numbers and letters.
l
Change all passwords regularly. Set a policy — such as every 60 days — and follow it.
l
Instead of allowing administrative access to the FortiRecorder appliance from any source, restrict it to trusted
l
internal hosts (see
On those computers that you have designated for management, apply strict patch and security policies. Always
l
password-encrypt any FortiRecorder configuration backup that you download to those computers to mitigate the
information that attackers can gain from any potential compromise. If your computer's operating system does not
support this, you can use third-party software to encrypt the file.
Do not give administrator-level access to all people who use the system. Usually, only a network administrator
l
should have access to the network settings. Others should have operator accounts. This prevents others from
accidentally or maliciously breaking the appliance's connections with cameras and computers. See
administrator profiles on page 65
By default, an administrator login times out if it is idle for more than 5 minutes. You can change this to a longer
l
period in the idle timeout settings, but Fortinet does not recommend it. Left unattended, a GUI or CLI session
could allow anyone with physical access to your computer to change FortiRecorder settings. Small idle timeouts
mitigate this risk. See
Restrict administrative access to a single network interface (usually port1), and only allow the management access
l
protocols that you use.
Use only the most secure protocols. Disable Access: PING, except during troubleshooting. Disable Access: HTTP,
Access: SNMP, and
network. See Configuring network interfaces on page 24

Operator access

Authenticate users only over encrypted channels such as HTTPS. Authenticating over non-secure channels such as
l
Telnet or HTTP exposes the password to any eavesdropper. For certificate-based server or FortiRecorder
authentication, see
Immediately revoke certificates that have been compromised. If possible, automate the distribution of certificate
l
revocation lists (see

Optimizing performance

When configuring your FortiRecorder, many settings and practices can yield better performance.
All deployment components can affect performance:
FortiRecorder
l
cameras
l
computer with FortiCentral or a web browser that connects to FortiRecorder
l
Total performance is a combination of:
FortiRecorder 7.0.0 Administration Guide
Fortinet Inc.
Setting the "admin" account password on page
Trusted hosts on page 63).
.
Configuring the public port numbers and domain name on page
Access: TELNET unless the network interface only connects to a trusted, private administrative
Replacing the default certificate for the GUI on page 92
Revoking certificates on page
.
98).
23.
Configuring
35.
.
138