Menu 

Best Practices: Fortinet FortiGate Firewall Hardening

Best Practices: Fortinet FortiGate Firewall Hardening

By Sahan Fernando – Director, Managed Security – Intrinium 

As business needs continue to develop, many organizations are turning to devices to effectively provide availability, confidentiality, and integrity for their networks. The buzz around “next-gen” firewalls is huge but, for no good reason. It is much simpler to consolidate the functions of Intrusion Prevention, Web Filtering, Application Control, and Gateway Anti-Virus into one box rather than several. The latest devices from several vendors offer this convenience at a competitive price.

At Intrinium, we strive to stay technologically agnostic to provide our customers with the best solutions for their specific needs. We have had several deployments utilizing Fortinet’s FortiGate Firewall product line. We have developed an expert level understanding of how to properly deploy, manage, and monitor firewalls. Out of the box, the default configuration for a FortiGate is decently secured, but there are several basic steps that we recommend doing to harden the box to ensure optimal performance. Below, we have outlined three steps that will help you perform best.

Limiting Access:

We recommend turning off all management access from the Internet if it does not have a clear business need. At most, HTTPS and PING should be enabled and if available, FortiManager as well.

If you are an enterprise with multiple firewalls, it would be best to enable all management access (HTTPS, SSH, PING, SNMP) from the inside and install FortiManager commands against the internal interfaces. If you do need HTTPS access from the Internet, we recommend changing the management port from the default 443 (i.e 10443) and recommend only utilizing TLS 1.2 for connections to the device itself. TLS1.0 and above are enabled by default and will need to be changed for both management access and the SSL VPN.

Invest in firmware:

It is crucial to have the firmware version. Intrinium and Fortinet both recommend being one fully patched major release (MR) behind the latest build and recommend not upgrading to that branch until there are at least four to five patches. The release notes provide bug fixes and feature updates

Secure the perimeter:

Ensure that your SNMP settings are using SNMPv3 with encryption and configure your UTM profiles. We recommend going through the settings to ensure that you are blocking rather than detecting viruses and intrusion attempts is critical. Put what you can into visibility mode As always, it is important to have internal policies built with the principle of least privilege and the appropriate security controls and full logging is essential to the architecture.

Overall, these basic steps outlined above will give a good baseline for ensuring that you are starting to realize the full potential of your device. As always, if you require assistance, Intrinium would love to advise on how to build a resilient, scalable, and secure network to ensure that IT is a cornerstone of your organization’s success.

 

 

Submit a Comment

Pin It on Pinterest

Share This