FortiGate Next-Generation Firewall (NGFW) utilizes purpose built security processors and threat intelligence services to deliver protection, encrypted traffic inspection and high performance. FortiGate reduces complexity with automated visibility into applications, users, networks and security-rated traffic all with an easy to operate user interface and full featured command line interface (CLI). The importance of device hardening and firewall configurations must be emphasized. This blog describes some of the hardening practices that can improve a FortiGate security posture. These hardening practices ensure peak performance, security, and stability of FortiGate firewalls and network infrastructures.
Basic Configuration
When a FortiGate is connected to the internet it is exposed to external risks, such as unauthorized access, man-in-the-middle attacks, spoofing, DoS attacks, and other malicious activities from bad actors.
This is a general guideline when setting up a FortiGate firewall.
Change defaults – Either use the start-up wizard or manual reconfiguration to change the default settings and tighten security.
NAT mode – For granting cross zone access from less secure zone or interface to more secure zone or interface, NAT or translated IP addresses should be used so traffic can be monitored easily.
Hostname – It is recommended for a (or many) FortiGate have meaningful hostname, this includes HA configuration device naming. This allows for easy identification from other devices on the network. Commonly found in larger network deployments.
NTP – Network Time Protocol (NTP) or Precision Time Protocol (PTP) is used to set the system time. Time helps in e.g. accurate logging, auditing, certificate expiration and security protocols.
Administrator password – The administrator password must be set when you first log in to FortiGate. Ensure that the password is unique and has adequate complexity. At a later time you can integrate Administrative access with an identity provider, e.g. LDAP, RADIUS or SAML and leverage MFA.
Configure minimum services – Configure the IP address, subnet mask, and only the required administrative access services (such as HTTPS and SSH) on the management interface. Avoid public (internet) administrative access if possible, if required leverage strict access using trusted hosts, VIP's with access policies via loopback interfaces and/or local-in-policies.
IPv6 - Considering using IPv6, besides near limitless in address numbering IPv6 offers advantages over IPv4. IPv6 offers, but not limited to:
More efficient routing due to reduction of routing tables.
Stateless auto-reconfiguration of hosts, devices can automatically configure network settings without the need for manual intervention.
IPv6 offers limited disruption when switching providers.
No requirements for NAT for faster routing and packet processing
Learn more Basic Configurations.
Management Network
There are many benefits to using a dedicated management network for administrative access to your network devices:
Reliability: When management traffic is independent from production or business traffic, it does not have to compete for resources and therefore is less at risk of losing access when re-configuring the production network.
Simpler policies: Using a management interface allows for policy separation of the management and production traffic. Policies with specific purposes are easier to understand and troubleshoot. Keep management traffic on a out of band network (OOB), isolating it from the rest of the campus and/or data center. Leverage VRF's or VDOM's for management separation. VRF's simplifies routing for OOB traffic not interfering with production traffic.
Security: It is more difficult for bad actors to access network devices on production networks when management access is on a separate network. In addition, leverage a console server for OOB traffic. This is helpful when devices are in a remote location, e.g. data center and console access is required.
Depending on the environment a VLAN or segmented interface in the management network should be dedicated for all administrative access. Administrative access should be disabled on all other interfaces on the FortiGates. Avoid using the WAN interface, or a publicly exposed interface, for management, as it will be subject to attacks. If management access is required in-band, leverage loopback interfaces and Firewall policies for access from trusted networks only.
User Authentication for management network access
Least privilege access principle should be used for controlling access to FortiGate. The following are recommendations for accessing FortiGate:
Enable Single Sign-On (SSO) – FortiGate firewalls support Single Sign-On (SSO) capabilities, which can greatly simplify the authentication process for users across various network resources. FortiGate integrates with popular SSO protocols such as Security Assertion Markup Language (SAML), Lightweight Directory Access Protocol (LDAP), and Active Directory (AD).
Setup strong password policy – For local accounts on the FortiGate, define a password policy to ensure a minimum complexity level. Leverage trusted hosts for local accounts. Leverage FortiTokens (2 free) for local account access. Additional tokens can be purchased or consider FortiAuthenticator for centralized MFA and token management.
Setup least privilege authorization – Administrator access should be limited to the scope of that administrator’s work to reduce possible attack vectors.
Regular audit of user access – The list of users with access should be audited regularly to ensure that it is current. Consider using automation stitches to log and notify events of device access and changes.
Whitelist client IP's – Trusted hosts can also be used to specify the IP addresses or subnets that can log in to the FortiGate administration interface. Use of loopbacks and VIP's and/or local-in-policies can be used to tailor administrative management access.
Enable Multi-Factor Authentication – When authenticating in FortiGate, implement multi-factor authentication (MFA). This makes it significantly more difficult for an attacker to gain access to the FortiGate. MFA can be leveraged with an Identity Provider (Idp) e.g. FortiAuthenticator or Microsoft Entra ID (aka Azure AD).
Avoid Shared account usage – Do not use shared accounts to access the FortiGate. Shared accounts are more likely to be compromised, are more difficult to maintain passwords.
API usage – Keep API keys locked in a virtual vault or password manager. Lock API access to trusted hosts, via local-in-policies or VIP's/loopbacks.
Administrative Settings
The following general administrative settings are recommended:
Idle timeout – Set the idle timeout time for administrators to a low value, preferably less than ten minutes.
Usage of Non-Standard port – Use non-standard HTTPS and SSH ports for administrative access, e.g. the 443 -> 65443, 22 -> 65222.
Disable weak encryption protocols – Do this as much as possible on a regular basis.
Utilize trusted certificates – Replace the certificate that is offered for HTTPS access with a trusted certificate that has the FQDN or IP address of the FortiGate. Leverage Lets Encrypt service on the FortiGate for easy certificate provisioning and renewal.
Logging and Reporting
Logging generates system events, traffic, user login, and many other types of records that can be used for alerts, analysis, and troubleshooting.
Aggregate logs remotely – All FortiGate events should be logged and stored securely. It is advised to send the log to a central location to account for device failure or other unforeseen events.
Encrypt log data – Due to the sensitivity of the log data it is important to encrypt data in motion and at-rest. Communications with FortiAnalyzer/FortiAnalyzer Cloud and FortiCloud is encrypted by default.
Logging into third-party devices – Logging into third-party services should be encrypted. VPN's can be leveraged if logging cannot be encrypted.
Logging – FortiAnalyzer, FortiAnalyzer Cloud, FortiGate Cloud, syslog, and a local disk are logging options for a Fortigate. Logging with syslog only stores the log messages. Logging to FortiAnalyzer stores the logs and provides detailed log analysis.
Security Alerts – Once your logs are flowing into a central location e.g. FortiAnalyzer or a Security information and event management (SIEM), detection rules or alerts can be configured. Setting up detection alerts is crucial for several reasons:
Early threat detection
Timely incident response
Mitigating advanced threats
Compliance requirements
Incident investigation and forensics
Proactive security posture
See here for more details.
Performance Monitoring
Performance monitoring of your device is critical or network and security health. FortiGate supports multiple protocols for monitoring resource utilization, such as SNMPv3, NetFlow, and sFlow. These protocols are used to measure the performance of the FortiGate and provide insight into the traffic that it is passing.
Resource monitoring helps establish resource baselines that can be useful for:
Configuring IPS signature rates.
Recognizing abnormal activity, such as when an attack is occurring.
Comparing the bandwidth utilization over specific time spans, such as month to month or year to year, to plan for growth.
Comparing the bandwidth utilization between different WANs, and applying SD-WAN and traffic shaping as needed.
Tuning security profiles to optimize resource usage.
Device Hardening
System hardening reduces security risk by eliminating potential attack vectors and reducing the attack surface. Some of the best practices described previously contributes to the hardening of the FortiGate with additional hardening steps listed here:
Secure physical device access – Install the FortiGate in a physically secure location. Physical access to FortiGate can allow it to be bypassed, or allow other firmware to be loaded after a manual reboot.
FortiOS firmware updates – The latest patch typically has the most bug fixes and vulnerability fixes, making it the most stable version.
Use of Encryption – Utilize encrypted protocols whenever possible. For example:
LDAPS instead of LDAP
RADSEC over TLS instead of RADIUS
SNMPv3 instead of SNMP
SSH instead of telnet
OSPF MD5 authentication
SCP instead of FTP or TFTP
NTP authentication
Encrypted logging
Enable only strong ciphers – Force higher levels of encryption and strong ciphers. Strong crypto is enabled by default.
Update Fortiguard DB – Ensure that FortiGuard databases, such as AS, IPS, and AV, are updated continuously and have the most updated definitions at all times.
Trust but verify – Test the FortiGate for unauthorized access and/or leverage 3rd party penetration testing.
Enable anomaly logging – Anomaly logging keeps the action as ‘monitor’ for some time. This is to baseline traffic for tuning thresholds optimize protection. Note false alarms, based on frequency adjust your policies accordingly.
Enable the DoS policy – Enable the DoS policy to help prevent targeted attacks.
Utilize custom private Key – To enhance password security, specify a custom private key for the encryption process.
Backup your configurations – Backup configurations regularity in preparation of disaster recovery, migrating/upgrading to another device, and troubleshooting. Leverage the use of FortiManager for device configuration backups or automation stitching to schedule backups using CLI scripts.
Defining fine-grained Policies
Leverage policy types to secure different types of traffic. For example:
DoS policies
Local-in policies
Security policies
Virtual IPs
See here for more details.
Hardening Security Profiles
Security profiles define inspect policies. When traffic a profile, it is either allowed, blocked, or monitored (allowed and logged).
Assess policy and traffic match – Apply the necessary level of protection after assessing policy and traffic matching
DoS security policies – Detect and drop illegitimate traffic before it reaches more resource-intensive security profiles (see Denial of service for more information).
Flow/Proxy inspection – Leverage flow mode to prioritize traffic throughput and apply proxy mode for more deep level inspection, proxy mode requires more resources.
See here for more details.
Enable SSL/TLS deep inspection
TLS encryption is used to secure traffic, but encrypted traffic can be used to get around normal defenses. Enabling SSL/TLS deep inspection to inspect traffic even if encrypted.
See here for more details.
Securing Remote access
Users and devices are now more remote than ever and networks are expanding into thin branch networks and the cloud. Secure remote access is advancing to meet the requirements of increasingly distributed environments. Assess requirements will determine the solution that is best.
Fortinet has several options, typically the FortiGate leverages IPsec and SSL VPN. SSL VPN has two modes, tunnel and web. However, FortiGates also leverage ZTNA for granular application access and client device authentication and control.
See here for more details.
Firmware and Change Management
Consider the following points when performing firmware upgrades, not only in FortiOS, but as general rule for any production environment change.
Understand the new version
Have valid reasons to upgrade the firmware
Prepare a detailed plan
Take business and technical aspects into consideration
Execute the upgrade as per the planning
Note: FortiGate and service contracts must be registered to have full access to Fortinet Customer Service and Support and FortiGuard services. FortiGates can be registered in the FortiGate GUI or the FortiCloud support portal. Service contracts can be registered from the FortiCloud support portal.
See here for more details.
Sources: Internet Search, Fortinet Docs
Comentarios