The VPN tunnel shown here is a route-based tunnel. That is, I do NOT use proxy-ids in phase 2 for the routing decision which would be policy-based , but tunnel-interfaces and static routes. This applies to both devices. These are the steps for the FortiGate firewall.
|Published (Last):||27 August 2017|
|PDF File Size:||11.55 Mb|
|ePub File Size:||2.4 Mb|
|Price:||Free* [*Free Regsitration Required]|
Manual zz. Hardening your FortiGate This document describes a series of techniques used to improve the security of administrative access to a FortiGate device. The following sections are included: Install the FortiGate unit in a physically secure location Maintain the firmware Add new administrator accounts Change the admin account name and limit access to this account Only allow administrative access to the external interface when needed When enabling remote access, configure Trusted Hosts and Two-factor Authentication Change the default administrative port to a non-standard port Modify the device name Register with support services Maintain short login timeouts Enable automatic clock synchronization Enable Password Policy Modify administrator account Lockout Duration and Threshold values Disable auto installation via USB Configure auditing and logging Install the FortiGate unit in a physically secure location A good place to start with is physical security.
Install the FortiGate unit in a secure location, such as a locked room or a room with restricted access. If unauthorized users have physical access they can disrupt your entire network by disconnecting your FortiGate unit either by accident or on purpose. They could also connect a console cable and attempt to log into the CLI.
Also, when a FortiGate unit reboots, a person with physical access can interrupt the boot process and install different firmware. Maintain the firmware On installation of a new firewall, it is necessary to update the firmware to the latest version provided by the manufacturer.
Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues. Review the Supported Upgrade Paths document to make sure the upgrade from your current image to the desired new image is supported. Installing new firmware without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues.
Only FortiGate admin users and administrators whose access profiles contain system read and write privileges can change the FortiGate firmware. Add new administrator accounts Rather than allowing all administrators to access the FortiGate unit with the admin administrator account you should create administrator accounts for each person that requires administrative access.
That way you can track who has made configuration changes and performed other administrative activities. Keep the number of administrative accounts to a minimum to keep better control on who can access the device. Administrators with this profile can do anything except add new administrator accounts. To improve security only a very few administrators usually one should be able to add new administrators.
If you want some administrator accounts to have limited access to the FortiGate configuration you can create custom admin profiles that only allow access to selected parts of the configuration. For example, if you want to add an admin profile that does not allow changing firewall policies, when you configure the admin profile set Firewall Configuration to None or Read Only.
You can improve security by changing this name to one more difficult for an attacker to guess. Consider also only using the super-admin account for adding or changing administrators. You could also store the account name and password for this account in a secure location in case for some reason the account name or password is forgotten. Configuring Trusted Hosts Setting trusted hosts for administrators limits what computers an administrator can log in the FortiGate unit from.
Any attempt to log in with the same credentials from any other IP address or any other subnet will be dropped. To ensure the administrator has access from different locations, you can enter up to ten IP addresses or subnets. Ideally, this should be kept to a minimum. For higher security, use an IP address with a net mask of CLI access through the console port is not affected. Also ensure all entries contain actual IP addresses, not the default 0.
Once activated, users can generate OTPs on their mobile device without having network access. No cellular network is required for activation. Two free trial tokens are included with every registered FortiGate unit. Additional tokens can be purchased from your reseller or from Fortinet. Configure the administrator as required, you need to enter your email address and phone number in order to receive the activation code for the FortiToken mobile.
Select Enable Two-factor Authentication. Select the token to associate with the administrator. Select OK to assign the token to the administrator. When connecting to the FortiGate unit when the port has changed, the port must be included.
Modify the device name The name of the device needs to be modified in order for it to be perfectly identified. A label shall also be placed with the device name. Finally it shall be necessary to add an entry in the DNS with the name of the unit and its IP address.
Register with support services In order to activate the services and warranty of the device, it is necessary to register the serial number of the device in the manufacturer's website. This task shall always be performed with the same account under which all units have been registered, in order to obtain centralized management. That is, if the web-based manager is not used for a specified amount of time, the FortiGate unit will automatically log the administrator out.
To continue their work, they must log in again. The time-out can be set as high as minutes, or eight hours, although this is not recommend. A best practice is to keep the default of 5 min. When logging into the console using SSH, the default time of inactivity to successfully log into the FortiGate unit is seconds 2 minutes.
You can configure the time to be shorter by using the CLI to change the length of time the command prompt remains idle before the FortiGate unit will log the administrator out. The range can be between 10 and seconds. This facilitates auditing and consistency between expiry dates used in expiration of certificates and security protocols.
In Global configuration mode Config Global , execute: config system ntp config ntpserver edit 1 set server " It can discover common passwords where a letter is replaced by a number. Using the available options you can define the required length of the password, what it must contain numbers, upper and lower case, and so on and an expiry time frame. The FortiGate unit will warn of any password that is added and does not meet the criteria.
The default value is 60 seconds. You may set a value that balances the need to prevent account cracking against the needs of an administrator who may have difficulty accessing their account. Its normal for an administrator to sometimes take a few attempts to logon with the right password. The lockout threshold can be set to any value from 1 to The Default value is 3, which is normally a good setting. However, to improve security you could reduce it to 1 or 2 as long as administrators know to take extra care when entering their passwords.
Disable auto installation via USB An attacker with a physical access to the device could load a new configuration or firmware on the FortiGate using the USB port, reinitializing the device through a power cut. To avoid this, execute the following CLI commands: config system auto-install set auto-install-config disable set auto-install-image disable end 10 Hardening your FortiGate for FortiOS 5. By default, FortiGate logs all deny actions.
This default behavior should not be changed. Also secure log files in a central location such as FortiCloud and configure alert email which provides an efficient and direct method of notifying an administrator of events.
An auditing schedule should be established to routinely inspect logs for signs of intrusion and probing. All rights reserved. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary.
Network variables, different network environments and other conditions may affect performance results. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
FortiAuthenticator 4. Authentication for FortiOS 5. FortiAuthenticator 5. FortiOS 5. FortiOS Handbook: Certifications and. FortiManager Administration Guide. FortiAuthenticator 2. FortiProduct Administration Guide version 4. FortiAuthenticator Administration Guide. Download PDF advertisement. Its a community-based project which helps to repair anything.
Fortigate: New FortiOS Upgrade Path Tool
Manual zz. Hardening your FortiGate This document describes a series of techniques used to improve the security of administrative access to a FortiGate device. The following sections are included: Install the FortiGate unit in a physically secure location Maintain the firmware Add new administrator accounts Change the admin account name and limit access to this account Only allow administrative access to the external interface when needed When enabling remote access, configure Trusted Hosts and Two-factor Authentication Change the default administrative port to a non-standard port Modify the device name Register with support services Maintain short login timeouts Enable automatic clock synchronization Enable Password Policy Modify administrator account Lockout Duration and Threshold values Disable auto installation via USB Configure auditing and logging Install the FortiGate unit in a physically secure location A good place to start with is physical security. Install the FortiGate unit in a secure location, such as a locked room or a room with restricted access. If unauthorized users have physical access they can disrupt your entire network by disconnecting your FortiGate unit either by accident or on purpose.
The FortiGate Cookbook (FortiOS 5.2) - Fortinet Document Library