The Definitive Guide to FortiGate Firewall Management

Companies today face unprecedented challenges, from supply shortages to global economic uncertainties. But
because highly sophisticated cyber-criminals can inflict the most catastrophic damage of all, we decided to start sharing our best practices on the management and implementation of Fortigate firewalls

Our Firewall Security Experts have provided state-of-the-art Firewall Management Services for decades and we decided to start sharing our best practices with you.

We will take the FortiGate firewall configuration one by one and provide you with our best practice for properly configuring them.

 

Table of Contents

FortiGate Best Practices

We listed below some of the best practices that we use when we do a FortiGate firewall audit as part of our Management Firewall Service. We do not document here also the default practices that FortiGate firewalls already implement like disabling SNMP agents.

Management & VDOMs

VDOMs

Virtual Domains (VDOMs) are the best way to manage a Fortigate firewall as it allows the Fortigate to act as multiple independent firewalls, all managed from the same GUI interface.

Whenever possible use VDOMs to create a dedicated one for Management. For example, you can use the “root” VDOM to handle the management traffic and another dedicated one for Data Traffic. You can go further and use dedicated ones for Departments, Production/Non-production data, etc.

Management and Administration

We have general guidelines for the management of a FortiGate Firewall. Below is a part of our list:

 

Have Post and Pre login banners (reference)

Why: This banner should, at the very least, prohibit any unauthorized access, notify users of any logging or monitoring activity, and refrain from using language that could be perceived as an invitation (e.g.welcome“).

How:

config system global
set pre-login-banner enable
set post-login-banner enable

 

 

Configure proper Timezone and NTP(by default FortiGate uses Fortiguard NTP, you can change via CLI):

Why: It is essential to have accurate timestamps when correlating events with other systems, troubleshooting, or performing DFIR work

How:

Login to FortiGate
Go to 'System' -> 'Settings'.
Time Zone and NTP settings are under 'System Time'

 

Disable USB Firmware and configuration installation

Why: Disabling USB port for auto-install prevents a USB from being connected with a manipulated configuration or incorrect firmware from being connected and loaded automatically.

How:
config system auto-install
set auto-install-config disable
set auto-install-image disable
end

 

Have a strong password policy

Why: You would always want that administrators use a strong password that cannot be easily be bruteforced.

How:

config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 15
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end

 

Make sure to have only SNMPv3 enabled (disable SNMPv1/v2)

Why:SNMP Version 3 provides improved security compared to SNMP Versions 1 and 2c as it introduces authentication and privacy options. SNMPv2/v1 are clear-text.

How:

FG_HIFENCE # config system snmp user
FG_HIFENCE (user) # edit "HIFENCE_SNMP"
FG_HIFENCE (HIFENCE_SNMP) # set security-level auth-priv
FG_HIFENCE (HIFENCE_SNMP) # set auth-proto sha256
FG_HIFENCE (HIFENCE_SNMP) # set auth-pwd xxxx
FG_HIFENCE (HIFENCE_SNMP) # set priv-proto aes256
FG_HIFENCE (HIFENCE_SNMP) # set priv_pwd xxxx
FG_HIFENCE (HIFENCE_SNMP) # end

 

Admin Authentication must have specific trusted hosts enabled and set

Why: To secure an administrative account, configure it to be accessible only from a trusted host with a specific IP address or subnet. This will prevent unauthorized access from any other network segment. Anyone attempting to access the account from outside the specific segment will be denied access. This will imply that administrators working remotely must have access to a jump host in the allowed segment to gain access.

How:

FG_HIFENCE # config system admin
FG_HIFENCE (admin) # edit "hifence_admin"
FG_HIFENCE (hifence_admin) # show
config system admin edit "hifence_admin"
set trusthost1 10.255.255.0 255.255.255.0
set trusthost2 10.200.255.0 255.255.255.0
next
end

 

Only encrypted protocols are allowed for the management of the firewall

Why: By only allowing encrypted protocols (HTTPS/SSH), we are making sure that the traffic is not sniffed by a man-in-the-middle attack

How:

FG_HIFENCE # config system interface
FG_HIFENCE (interface) # edit port1
FG_HIFENCE (port1) # set allowaccess ssh https
FG_HIFENCE (port1) # end
FG_HIFENCE #

 

Configure HA, Monitor Interfaces and Reserve Management Interface

Configuring High Availability (HA) increases system availability as well as decreases the impact of routine maintenance like updates and the impact of device failure.

With Interface Monitoring enabled on devices failover can occur if there are physical media issues or issues with the specific port that the FortiGate is connected to. (reference). Use dedicated interfaces or VLANs for heartbeats and configuration syncs! You do not want to lose heartbeats when you have a spike in normal data traffic!

By assigning an interface to be used as a “Reserved Management Interface”, we can make sure we can access the firewalls individually without them being fully-synced (the management interface assigned will not be synced in this setup)

 

Configure HA as active/passive

Based on our experience, most of the enterprises really use an Active/Passive setup and we have rarely seen a use-case where Active/Active was used and needed (except Public Clouds).

Some advantages of using active/passive vs active/active are:

1. When you make a change, you do it only once (on the active unit) and you do not need any other equipment (like a FortiManager) to configure it on the other firewall node

2. Easier troubleshooting: you know for sure which unit is processing the traffic and then the troubleshooting and fixing time is faster

3. Failover happens fast as devices sync their sessions

4. You can do failover by using monitored interfaces as presented above

5. No over-subscription. In active/active if the load on the FortiGate goes above 50% on both units and one unit fails, the other one will NOT be able to handle the traffic. To be fair, in active/active you get to use both firewalls capacities so there are downsides to both.

 

 

Network – Interfaces & Zones

Allow only ping on non-management interfaces

Why: There is NO need to have other management traffic be available on the Fortigate except for the management interface.

How: Go to the interface level and allow only “ping” as an allowed protocol.

 

Add only VLAN interfaces to zones, not a physical interface

Why: Why lose physical interfaces when you can take advantage of using VLAN interfaces? This way, you have enough available physical interfaces to further expand your environment as needed.

How: Create VLAN interfaces and assign those to the zones you created

 

Make sure that intra-zone traffic is denied

Why: This helps you to not make mistakes when assigning a new interface to a zone and then by “default” all traffic between the interfaces of the zones is allowed. This makes sure that only specific, authorized traffic is allowed between networks in the same zone.

How:

FG_HIFENCE # config system zone
FG_HIFENCE (zone) # edit ZONE1
FG_HIFENCE (ZONE1) # show full config system
zone edit “ZONE1
set intrazone deny
next
end

 

Configure DNS Server

Why: Fortinet uses the Domain Name Service (DNS) to translate host names into IP addresses. You need to configure a DNS server to properly enable DNS lookups. Hint: Fortigate checks first the primary DNS server and in case a time-out occurs, it goes for a second or third.

How:

FG_HIFENCE # config system dns 
FG_HIFENCE (dns) # set primary 1.1.1.1
FG_HIFENCE (dns) # set secondary 8.8.8.8
FG_HIFENCE (dns) # end
FG_HIFENCE #

Firewall Policies & Objects

Put the mostly used firewalls on top

Why: This helps the firewall in finding a match fast, without passing all the firewall rules. This saves you on CPU time

How: This can be done by checking the utilization of each firewall policy and moving the most used ones to the top.

 

Log ALL traffic

Why: You would need this for compliance, future investigations, and reporting.

How: On each and every firewall policy you should have logging enabled.

 

Make sure that policies without any hits are reviewed regularly.

Why: This helps with the proper management of the firewall. Unused firewall rules can sometimes start being used, if a former “deleted” host entry starts appearing in the networking and “inherits” the previous host’s access rights.

How: Check the GUI for policy hits. See more info here

 

Make sure that there aren’t any firewall policies with “ALL” as service

Why: This should be pretty obvious. You do NOT want full access to the Internet or any other network segment without a good business reason

How: Check the GUI in the Firewall Policy and filter by services. Make sure there is no “ALL” as service.

 

 

Security Profiles

Antivirus, DNS, File Filter

Make sure that Antivirus Definition push updates are configured and enabled on policies

Why: Well who wouldn’t want to be updated as soon as a new AV signature is present? You also must make sure that those are enabled on firewall interfaces!

How:

config system autoupdate
set status enable
end

 

 

Enable Botnet C&C Domain Blocking DNS Filter

Why: You would want to block access to botnets at the DNS resolution phase. This helps identify compromised hosts if you have adequately integrated the firewall logs with a SIEM.

How: Go to Security Profiles > DNS Filter and make sure that “redirect botnet C&C requests to Block portal” is enabled. Don’t forget that you need to enable it on the firewall policies as well!

Always have SSL inspection configured before using Web Filter, IPS, or Application Control

Why: To properly inspect all traffic you must have deep SSL inspection configured. This is needed as most applications or web traffic is encrypted in within an SSL tunnel. Without it, the functionality is limited.

How: We will create an SSL inspection guide, but for the moment, please use this reference.

Always block QUIC protocol on the Fortigate

Why: The QUIC protocol can cause issues when you are trying to do WebFilter, Application Control, or IPS. This is because QUIC can sometimes bypass any transparent proxy that you might have(see reference)

How: Just go to the top of the firewall rules and block UDP port 80 and port 443. Another option is to enable the checkbox “QUIC” and sent to block in the application control profile.

VPN and SSL-VPN

Always use MFA for SSL VPN users

Why: As the SSL VPN portal is Internet-facing, you want to make sure that any authentication is using an MFA.

How: Create a Radius server (NPS or any others) and integrate it with Azure MFA/Cisco Duo/etc. If you do not know how our IT consultants can always help.

User Authentication (FSSO, Radius, Local)

Deploy FSSO in DC Agent mode and NOT Polling mode

Why: In our experience, in Polling mode, there is a big chance (in bigger environments) that you will lose authentication security events. This will create frustration for the users in case you are using those groups for Web Authentication

How: When deploying the FSSO Collector agent on a Domain Controller, always use DC-Agent Mode. Reference

 

Logging and Reporting

Event and Centralized Logging

Enable Event Logging

Why: Enabling event logging generates logs that can be stored for review and auditing or can be integrated with a SIEM.

How:

config log eventfilter
set event enable
end

 

Centralized Logging and Reporting

Why:  Device logs should be sent to a centralized device for log collection, retention, and reporting. This could be a SIEM. syslog, FortiAnalyzer, etc.

How: See reference

How Does HIFENCE Managed Firewall Help?

With decades of cybersecurity experience, HIFENCE security experts will provide our advanced Managed Firewall that delivers 24/7 monitoring, detection, analysis, and the rapid response needed to protect your entire infrastructure from today’s most sophisticated threats. If you are interested in a company to help you manage your firewall and also provide managed IT services you can contact us!