After ACSC FortiBleed critical alerts in June 2026, every small business running FortiGate or Fortinet VPN should rotate administrative credentials, enforce MFA, and verify management interfaces are not exposed to the open internet. Updated 24 June 2026.

Fortinet’s situational analysis and ACSC coverage align on priorities even when you believe patches were applied months ago. Credential reuse and missing MFA still leave doors open.

This guide orders tasks for businesses without a full-time security team. If you rely on a local IT provider, send them this checklist today.

Step 1: Terminate active sessions

Log into FortiGate admin and SSL VPN consoles. End unknown or stale sessions before password changes. Attackers with live sessions may retain access through rotation if you skip this step.

Document who authorised each remaining session. MSPs should verify client-by-client rather than assuming one global password change suffices.

Step 2: Rotate every privileged password

Change FortiGate admin accounts, SSL VPN user passwords, and API keys tied to automation. Prioritise internet-facing systems first. Use unique passwords stored in a business password manager, not reused personal credentials.

CISA’s June 2026 guidance, echoed globally, stresses strong policies and immediate rotation on exposed appliances.

Step 3: Enable phishing-resistant MFA

Fortinet recommends MFA on all administrator and VPN accounts. SMS codes beat nothing but remain weaker than app-based or hardware keys where supported.

Assign one owner to confirm MFA enrollment per user. Partial rollout leaves a single unprotected admin as the weak link.

Step 4: Upgrade firmware and hashing settings

Move to supported FortiOS versions that enforce PBKDF2 for stored credentials per Fortinet technical tips. Remove legacy weaker encryption settings using vendor documentation for your release train.

Schedule maintenance windows with your MSP if uptime is sensitive. Delaying upgrades while rotating passwords is better than doing neither.

Step 5: Lock down management access

Management interfaces should not be reachable from arbitrary internet IP addresses. Restrict to office ranges, jump hosts, or provider VPNs. Review firewall policies allowing 443 or custom admin ports from anywhere.

Step 6: Audit AD and LDAP integrations

If FortiGate authenticates against Active Directory, treat service accounts as potentially compromised. Review new accounts, privilege changes, and unusual login geographies across the network, not only on the firewall.

When to escalate to incident response

Unexpected VPN users, mystery admin accounts, or config changes you did not authorise mean compromise likely. Follow Fortinet recovery guidance: isolate, rebuild, restore clean configs. Contact FortiGuard Incident Response if internal teams lack forensic capacity.

Locate help through our repairer directory for local triage.

Ongoing habits after rotation

Quarterly credential audits, MFA enforcement on new staff day one, and subscribing to ACSC advisories reduce repeat panic. Pair with our FortiBleed news summary for context.

Password policy details that matter

Rotation is not an excuse to reuse patterns like Summer2026 across admin and VPN accounts. Generate unique passphrases at least 16 characters for privileged roles. Disable legacy SSL VPN profiles that allow weak cipher suites or shared generic accounts labelled “RemoteUser1.”

Documenting the rotation for auditors and insurers

Keep a simple log: date, who performed rotation, which accounts changed, MFA status per account, firmware version after upgrade, and management port restrictions applied. Cyber insurers and enterprise customers increasingly ask for evidence during onboarding. A one-page record beats reconstructing actions from memory weeks later.

If you outsource firewall work, require the MSP to attach FortiGate config exports or screenshots showing MFA enforcement rather than a vague “all good” email.

Testing after you harden

Verify VPN login fails with old passwords. Confirm admin GUI is unreachable from a mobile hotspot outside your allow list. Test one legitimate remote worker connection before announcing completion to staff. Broken VPN during rushed rotations causes helpdesk floods that tempt teams to reopen internet-facing admin “temporarily.”

More incident context lives on our blog. Local hands-on help is listed in the repair directory.

Shared accounts and break-glass procedures

Retire shared “admin” logins used by multiple technicians. Issue named accounts with MFA so rotation and session termination target real people. Maintain an encrypted break-glass password for disaster recovery only, tested quarterly and rotated after any use.

MSP clients should confirm provider staff access is similarly named and revocable when contracts end.

Backup configuration discipline

FortiGate rebuilds after compromise depend on clean configuration exports stored offline before incidents. Monthly encrypted backups of firewall configs, certificate stores, and VPN user lists shorten recovery when factory reset is required. Test restore on a lab unit or spare hardware if your business cannot tolerate day-long outages during rebuild windows.

Frequently Asked Questions