Companies today face unprecedented challenges, from supply shortages to global economic uncertainties. But
because highly sophisticated cyber-criminals can inflict the most catastrophic damage of all, we decided to start sharing our best practices on the management and implementation of Fortigate firewalls
Our Firewall Security Experts have provided state-of-the-art Firewall Management Services for decades and we decided to start sharing our best practices with you.
We will take the FortiGate firewall configuration one by one and provide you with our best practice for properly configuring them.
Table of Contents
FortiGate Best Practices
We listed below some of the best practices that we use when we do a FortiGate firewall audit as part of our Management Firewall Service. We do not document here also the default practices that FortiGate firewalls already implement like disabling SNMP agents.
Management & VDOMs
Virtual Domains (VDOMs) are the best way to manage a Fortigate firewall as it allows the Fortigate to act as multiple independent firewalls, all managed from the same GUI interface.
Whenever possible use VDOMs to create a dedicated one for Management. For example, you can use the “root” VDOM to handle the management traffic and another dedicated one for Data Traffic. You can go further and use dedicated ones for Departments, Production/Non-production data, etc.
Management and Administration
We have general guidelines for the management of a FortiGate Firewall. Below is a part of our list:
Have Post and Pre login banners (reference)
Why: This banner should, at the very least, prohibit any unauthorized access, notify users of any logging or monitoring activity, and refrain from using language that could be perceived as an invitation (e.g. “welcome“).
config system global
set pre-login-banner enable
set post-login-banner enable
Configure proper Timezone and NTP(by default FortiGate uses Fortiguard NTP, you can change via CLI):
Why: It is essential to have accurate timestamps when correlating events with other systems, troubleshooting, or performing DFIR work
Login to FortiGate
Go to 'System' -> 'Settings'.
Time Zone and NTP settings are under 'System Time'
Disable USB Firmware and configuration installation
Why: Disabling USB port for auto-install prevents a USB from being connected with a manipulated configuration or incorrect firmware from being connected and loaded automatically.
config system auto-install
set auto-install-config disable
set auto-install-image disable
Have a strong password policy
Why: You would always want that administrators use a strong password that cannot be easily be bruteforced.
config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 15
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
Make sure to have only SNMPv3 enabled (disable SNMPv1/v2)
Why:SNMP Version 3 provides improved security compared to SNMP Versions 1 and 2c as it introduces authentication and privacy options. SNMPv2/v1 are clear-text.
FG_HIFENCE # config system snmp user
FG_HIFENCE (user) # edit "HIFENCE_SNMP"
FG_HIFENCE (HIFENCE_SNMP) # set security-level auth-priv
FG_HIFENCE (HIFENCE_SNMP) # set auth-proto sha256
FG_HIFENCE (HIFENCE_SNMP) # set auth-pwd xxxx
FG_HIFENCE (HIFENCE_SNMP) # set priv-proto aes256
FG_HIFENCE (HIFENCE_SNMP) # set priv_pwd xxxx
FG_HIFENCE (HIFENCE_SNMP) # end
Admin Authentication must have specific trusted hosts enabled and set
Why: To secure an administrative account, configure it to be accessible only from a trusted host with a specific IP address or subnet. This will prevent unauthorized access from any other network segment. Anyone attempting to access the account from outside the specific segment will be denied access. This will imply that administrators working remotely must have access to a jump host in the allowed segment to gain access.
FG_HIFENCE # config system admin
FG_HIFENCE (admin) # edit "hifence_admin"
FG_HIFENCE (hifence_admin) # show
config system admin edit "hifence_admin"
set trusthost1 10.255.255.0 255.255.255.0
set trusthost2 10.200.255.0 255.255.255.0
Only encrypted protocols are allowed for the management of the firewall
Why: By only allowing encrypted protocols (HTTPS/SSH), we are making sure that the traffic is not sniffed by a man-in-the-middle attack
FG_HIFENCE # config system interface
FG_HIFENCE (interface) # edit port1
FG_HIFENCE (port1) # set allowaccess ssh https
FG_HIFENCE (port1) # end
Configure HA, Monitor Interfaces and Reserve Management Interface
Configuring High Availability (HA) increases system availability as well as decreases the impact of routine maintenance like updates and the impact of device failure.
With Interface Monitoring enabled on devices failover can occur if there are physical media issues or issues with the specific port that the FortiGate is connected to. (reference). Use dedicated interfaces or VLANs for heartbeats and configuration syncs! You do not want to lose heartbeats when you have a spike in normal data traffic!
By assigning an interface to be used as a “Reserved Management Interface”, we can make sure we can access the firewalls individually without them being fully-synced (the management interface assigned will not be synced in this setup)
Configure HA as active/passive
Based on our experience, most of the enterprises really use an Active/Passive setup and we have rarely seen a use-case where Active/Active was used and needed (except Public Clouds).
Some advantages of using active/passive vs active/active are:
1. When you make a change, you do it only once (on the active unit) and you do not need any other equipment (like a FortiManager) to configure it on the other firewall node
2. Easier troubleshooting: you know for sure which unit is processing the traffic and then the troubleshooting and fixing time is faster
3. Failover happens fast as devices sync their sessions
4. You can do failover by using monitored interfaces as presented above
5. No over-subscription. In active/active if the load on the FortiGate goes above 50% on both units and one unit fails, the other one will NOT be able to handle the traffic. To be fair, in active/active you get to use both firewalls capacities so there are downsides to both.
Network – Interfaces & Zones
Allow only ping on non-management interfaces
Why: There is NO need to have other management traffic be available on the Fortigate except for the management interface.
How: Go to the interface level and allow only “ping” as an allowed protocol.
Add only VLAN interfaces to zones, not a physical interface
Why: Why lose physical interfaces when you can take advantage of using VLAN interfaces? This way, you have enough available physical interfaces to further expand your environment as needed.
How: Create VLAN interfaces and assign those to the zones you created
Make sure that intra-zone traffic is denied
Why: This helps you to not make mistakes when assigning a new interface to a zone and then by “default” all traffic between the interfaces of the zones is allowed. This makes sure that only specific, authorized traffic is allowed between networks in the same zone.
FG_HIFENCE # config system zone
FG_HIFENCE (zone) # edit ZONE1
FG_HIFENCE (ZONE1) # show full config system
zone edit “ZONE1
set intrazone deny
Configure DNS Server
Why: Fortinet uses the Domain Name Service (DNS) to translate host names into IP addresses. You need to configure a DNS server to properly enable DNS lookups. Hint: Fortigate checks first the primary DNS server and in case a time-out occurs, it goes for a second or third.
FG_HIFENCE # config system dns
FG_HIFENCE (dns) # set primary 184.108.40.206
FG_HIFENCE (dns) # set secondary 220.127.116.11
FG_HIFENCE (dns) # end
Firewall Policies & Objects
Put the mostly used firewalls on top
Why: This helps the firewall in finding a match fast, without passing all the firewall rules. This saves you on CPU time
How: This can be done by checking the utilization of each firewall policy and moving the most used ones to the top.
Log ALL traffic
Why: You would need this for compliance, future investigations, and reporting.
How: On each and every firewall policy you should have logging enabled.
Make sure that policies without any hits are reviewed regularly.
Why: This helps with the proper management of the firewall. Unused firewall rules can sometimes start being used, if a former “deleted” host entry starts appearing in the networking and “inherits” the previous host’s access rights.
How: Check the GUI for policy hits. See more info here
Make sure that there aren’t any firewall policies with “ALL” as service
Why: This should be pretty obvious. You do NOT want full access to the Internet or any other network segment without a good business reason
How: Check the GUI in the Firewall Policy and filter by services. Make sure there is no “ALL” as service.
Antivirus, DNS, File Filter
Make sure that Antivirus Definition push updates are configured and enabled on policies
Why: Well who wouldn’t want to be updated as soon as a new AV signature is present? You also must make sure that those are enabled on firewall interfaces!
config system autoupdate
set status enable
Enable Botnet C&C Domain Blocking DNS Filter
Why: You would want to block access to botnets at the DNS resolution phase. This helps identify compromised hosts if you have adequately integrated the firewall logs with a SIEM.
How: Go to Security Profiles > DNS Filter and make sure that “redirect botnet C&C requests to Block portal” is enabled. Don’t forget that you need to enable it on the firewall policies as well!
Always have SSL inspection configured before using Web Filter, IPS, or Application Control
Why: To properly inspect all traffic you must have deep SSL inspection configured. This is needed as most applications or web traffic is encrypted in within an SSL tunnel. Without it, the functionality is limited.
How: We will create an SSL inspection guide, but for the moment, please use this reference.
Always block QUIC protocol on the Fortigate
Why: The QUIC protocol can cause issues when you are trying to do WebFilter, Application Control, or IPS. This is because QUIC can sometimes bypass any transparent proxy that you might have(see reference)
How: Just go to the top of the firewall rules and block UDP port 80 and port 443. Another option is to enable the checkbox “QUIC” and sent to block in the application control profile.
VPN and SSL-VPN
Always use MFA for SSL VPN users
Why: As the SSL VPN portal is Internet-facing, you want to make sure that any authentication is using an MFA.
How: Create a Radius server (NPS or any others) and integrate it with Azure MFA/Cisco Duo/etc. If you do not know how our IT consultants can always help.
User Authentication (FSSO, Radius, Local)
Deploy FSSO in DC Agent mode and NOT Polling mode
Why: In our experience, in Polling mode, there is a big chance (in bigger environments) that you will lose authentication security events. This will create frustration for the users in case you are using those groups for Web Authentication
How: When deploying the FSSO Collector agent on a Domain Controller, always use DC-Agent Mode. Reference
Logging and Reporting
Event and Centralized Logging
Enable Event Logging
Why: Enabling event logging generates logs that can be stored for review and auditing or can be integrated with a SIEM.
config log eventfilter
set event enable
Centralized Logging and Reporting
Why: Device logs should be sent to a centralized device for log collection, retention, and reporting. This could be a SIEM. syslog, FortiAnalyzer, etc.
How: See reference
How Does HIFENCE Managed Firewall Help?
With decades of cybersecurity experience, HIFENCE security experts will provide our advanced Managed Fortigate Firewall that delivers 24/7 monitoring, detection, analysis, and the rapid response needed to protect your entire infrastructure from today’s most sophisticated threats. If you are interested in a company to help you manage your fortigate firewall and also provide Managed Networking & Cybersecurity Services you can contact us