Fortinet firewall CIS Hardening

From Notes_Wiki

Home > Enterprise security devices or applications > Fortigate firewall > Fortinet firewall CIS Hardening

FortiGate CIS Harding Configuration Best Practices

This article provides the best practices for configuring various settings in FortiGate firewalls. It covers network, system settings, security profiles, VPN, user authentication, and logging. The steps are categorized for easy reference, and each configuration is explained with its importance.

Network Settings

Ensure DNS Server is Configured (Automated)

  • Remediation Steps:
 1. Go to Network > DNS.
 2. Specify the DNS server as follows:
     - Primary DNS: `1.1.1.1`
     - Secondary DNS: `1.0.0.3`
 3. Save the configuration.
  • Explanation: DNS is crucial for resolving domain names to IP addresses. Using Google’s public DNS servers (8.8.8.8 and 8.8.4.4) ensures reliability and security.

Ensure Intra-Zone Traffic is Not Always Allowed (Manual)

  • Remediation Steps:
 1. Navigate to Network > Interfaces.
 2. Select the zone and click Edit.
 3. Enable the Block intra-zone traffic option.
  • Explanation: By blocking intra-zone traffic, you prevent devices within the same security zone from communicating with each other unless explicitly allowed. This increases the security of your network.

Disable All Management Related Services on WAN Port (Manual)

  • Remediation Steps:
 1. Go to Network > Interfaces.
 2. Select the WAN interface.
 3. Disable management services like HTTP, HTTPS, ping, SSH, SNMP, and Radius.
  • Explanation: Disabling management services on the WAN port helps reduce attack vectors and ensures that only trusted internal networks can manage the device.

System Settings

General Settings

Ensure 'Pre-Login Banner' is Set (Automated)

  • Remediation Steps:
 1. Go to System > Replacement Messages.
 2. In Extended View, select Pre-login Disclaimer Message and configure your banner.
 3. Save the settings.
  • Explanation: A pre-login banner provides a legal warning or any necessary information for users accessing the device, helping protect your organization.

Ensure 'Post-Login Banner' is Set (Automated)

  • Remediation Steps:
 1. Go to System > Replacement Messages.
 2. In Extended View, find Post-login Disclaimer Message and configure the message.
 3. Save the changes.
  • Explanation: A post-login banner helps ensure users are reminded of policies or security measures after logging in.

Ensure Timezone is Properly Configured (Manual)

  • Remediation Steps:
 1. Login to FortiGate.
 2. Go to System > Settings.
 3. Set the timezone under System Time (e.g., `(GMT-5:00) Eastern Time (US & Canada)`).
  • Explanation: Configuring the correct timezone ensures accurate time stamps in logs and reports.

Ensure Correct System Time is Configured Through NTP (Automated)

  • Remediation Steps (CLI):
 1. Run the following commands:
    
     config system ntp
     set type custom
     config ntpserver
     edit 1
     set server pool.ntp.org
     next
     edit 2
     set server 1.1.1.1
     end
     end
  • Explanation: Time synchronization through NTP ensures that logs and system events are accurate and consistent across all devices.

Ensure Hostname is Set (Automated)

  • Remediation Steps:
 1. Go to System > Settings.
 2. Ensure that the Hostname field is set correctly.
 3. Click Apply to save.
  • Explanation: A unique hostname makes device identification easier and helps with proper network management.

Ensure the Latest Firmware is Installed (Manual)

  • Remediation Steps:
 1. Go to Dashboard > Status > System Information and check the current firmware version.
 2. If needed, go to System > Firmware and upload the latest firmware.
  • Explanation: Keeping the firmware up to date ensures the latest security patches and features are applied to your device.

Disable USB Firmware and Configuration Installation (Automated)

  • Remediation Steps (CLI):
 1. Run the following commands:
     
     config system global
     set ssl-static-key-ciphers disable
     end
  • Explanation: Disabling USB-based firmware and configuration installation minimizes the risk of unauthorized changes via physical access.

Disable Static Keys for TLS (Automated)

  • Remediation Steps (CLI):
 1. Run the following commands:
     
     config system global
     set ssl-static-key-ciphers disable
     end
  • Explanation: Disabling static keys for TLS improves the security of encrypted communication.

Enable Global Strong Encryption (Automated)

  • Remediation Steps (CLI):
 1. Run the following commands:
     
     config system global
     set strong-crypto enable
     end
  • Explanation: Enabling strong encryption enhances the security of data transmitted over the network.

Password Policy

Ensure 'Password Policy' is Enabled (Automated)

  • Remediation Steps:
 1. Go to System > Settings.
 2. Find the Password Policy section.
 3. Set the following:
     - Minimum length: 8
     - Enable character requirements
     - Set upper case, lower case, numbers, and special characters to 1
     - Disable password reuse
     - Set password expiration to 90 days
  • Explanation: A strong password policy ensures that accounts are protected with robust passwords, helping to prevent unauthorized access.(It optional recommendation)

Ensure Administrator Password Retries and Lockout Time Are Configured (Automated)

  • Remediation Steps (CLI):
 1. Run the following commands:
     
     config system global
     set admin-lockout-threshold 3
     set admin-lockout-duration 60
     end
  • Explanation: Configuring retry limits and lockout duration helps prevent brute-force attacks on administrator accounts.

SNMP

Ensure SNMP Agent is Disabled (Automated)

  • Remediation Steps:
 1. Go to System > SNMP.
 2. Disable the SNMP agent.
  • Explanation: Disabling SNMP ensures that the device is not exposed to potential SNMP-based attacks.

Ensure Only SNMPv3 is Enabled (Automated)

  • Remediation Steps:
 1. Go to System > SNMP.
 2. Ensure SNMPv3 is the only version enabled.
 3. Remove any SNMPv1/v2c communities and create an SNMPv3 user.
  • Explanation: SNMPv3 offers better security features, including authentication and encryption, compared to earlier versions.

Administrators and Admin Profiles

Ensure Default 'Admin' Password is Changed (Manual)

  • Remediation Steps:
 1. Login with the admin account.
 2. Go to System > Administrators.
 3. Edit the admin account and change the password.
  • Explanation: Changing the default admin password is critical to prevent unauthorized access.

Ensure All Login Accounts Have Specific Trusted Hosts Enabled (Manual)

  • Remediation Steps:
 1. Go to System > Administrators.
 2. For each account, ensure that Restrict login to trusted hosts is enabled.
  • Explanation: Restricting login to trusted hosts reduces the risk of unauthorized login attempts from untrusted sources.

Ensure Admin Accounts Have Correct Profiles Assigned (Manual)

  • Remediation Steps:

Ensure Admin Accounts Have Correct Profiles Assigned (Manual)

  • Remediation Steps:
1. Log in to FortiGate as Super Admin 
2. Go to 'System' > 'Settings'
3. Find the 'Password Policy' section 
4. Default 'Password scope' is 'Off', change it to 'Both' 
5. set 'Minimum length' to '8' 
6. Enable 'Character requirements' 
7. set minimum '1' in the filed of 'Upper Case', 'Lower Case', 'Numbers (0- ) and 'Special' 
8. Disable 'Allow password reuse' 
9. Enable 'Password expiration' and set it to 90
  • Explanation: Ensuring that each admin has a profile with the correct permissions helps enforce the principle of least privilege.
  • Explanation: Ensuring that each admin has a profile with the correct permissions helps enforce the principle of least privilege.

Ensure Idle Timeout is Configured (Automated)

  • Remediation Steps:
 1. Go to System > Settings.
 2. Set Idle Timeout to 5 minutes.
  • Explanation: Configuring idle timeouts helps prevent unauthorized access if an administrator leaves their session open.

Policy and Objects

Ensure Unused Policies Are Reviewed Regularly (Manual)

  • Remediation Steps:
 1. Go to Policy & Objects > IPv4 Policy.
 2. Review the policies and check the Bytes or Hit Count columns to identify unused policies.
  • Explanation: Regular review of policies helps ensure that unnecessary rules are removed, reducing the attack surface.

Ensure Policies Do Not Use ALL as Service (Automated)

  • Remediation Steps:
 1. Go to Policy & Objects → IPv4 Policy.
 2. Edit policies to ensure specific services are used instead of "ALL".
  • Explanation: Limiting policies to specific services reduces unnecessary access and enhances security.

Ensure Policies Are Uniquely Named (Manual)

  • Explanation: Uniquely named policies help with auditing and prevent confusion during troubleshooting or configuration changes.

Firewall Policies

Ensure There Are No Unused Policies (Manual)

  • Remediation Steps:
 1. Go to Policy & Objects > IPv4 Policy.
 2. Review all policies, check their hit count or bytes, and verify that there are no unused or inactive policies.
  • Explanation: Unused policies may allow unintended access to services or hosts, potentially creating vulnerabilities. It is essential to regularly review firewall policies to ensure only active and necessary policies are in place.

Ensure Firewall Policy Denying All Traffic to/from Tor or Malicious Server IP Addresses Using ISDB (Manual)

  • Remediation Steps:
 1. Create an inbound firewall policy to block connections with these settings:
    - From: Any
    - To: Any
    - Source: "Tor-Exit.Node", "Tor-Relay.Node", and "Malicious-Malicious.Server"
    - Destination: All
    - Action: Deny
    - Log Violation Traffic: Enabled
    - Enable this Policy: Enabled
 2. Create an outbound firewall policy to block connections with these settings:
    - From: Any
    - To: Any
    - Source: All
    - Destination: "Tor-Relay.Node" and "Malicious-Malicious.Server"
    - Action: Deny
    - Log Violation Traffic: Enabled
    - Enable this Policy: Enabled
  • Explanation: Blocking traffic to/from Tor and known malicious server IP addresses helps prevent unwanted anonymous traffic and protects against potential malicious activity or compromised nodes.

Ensure Logging is Enabled on All Firewall Policies (Manual)

  • Remediation Steps:
 1. Go to Policy & Objects → IPv4 Policy.
 2. Ensure that logging is enabled for all policies by selecting Log Violation Traffic and enabling logging for both accepted and denied traffic.
  • Explanation: Enabling logging on firewall policies ensures that all traffic passing through the firewall is logged, making it easier to detect and investigate potential security incidents.

Security Profiles

Detect Botnet Connections (Manual)

  • Remediation Steps:
1.Configure relevant IPS profiles with "Scan Outgoing Connections to Botnet Sites" set to "Block". 
2.Apply relevant IPS profile on all firewall policies with traffic exiting the network to a "WAN" interface.
  • Explanation: Using IPS sensors on WAN interfaces helps detect and block outbound traffic to known botnet command-and-control (C&C) servers, preventing your network from participating in botnet activity.

Antivirus

Ensure Antivirus Definition Push Updates Are Configured (Automated)

  • Remediation Steps (GUI for FortiOS 6):
 1. Go to System > FortiGuard > FortiGuard Updates.
 2. Ensure that Accept push updates is enabled.
  • Remediation Steps (GUI for FortiOS 7):
 1. Go to System > FortiGuard > FortiGuard Updates.
 2. Ensure that Scheduled updates is set to Automatic.
  • Explanation:Enabling automatic antivirus definition updates ensures that your FortiGate appliance is always protected against the latest malware threats without requiring manual updates.

Apply Antivirus Security Profile to Policies (Manual)

  • Remediation Steps:
 1. Go to Policy & Objects > IPv4 Policy.
 2. Apply the Antivirus security profile to relevant firewall policies, ensuring traffic between networks is inspected for viruses.
  • Explanation: Applying antivirus profiles to policies ensures that traffic traversing between interfaces is actively monitored and protected against malware.

Enable Outbreak Prevention Database (Automated)

  • Remediation Steps:
 1. Go to Security Profiles > AntiVirus.
 2. Select the AV (Antivirus) profile and enable Outbreak Prevention.
  • Explanation: Enabling outbreak prevention ensures that the system can detect and block new threats more quickly based on patterns of suspicious activity, enhancing proactive protection.

Enable AI / Heuristic-Based Malware Detection (Automated)

  • Remediation Steps (CLI):
 1. Run the following command to enable AI-based malware detection:
    
    config antivirus settings
    set machine-learning-detection enable
    end
  • Explanation: Enabling AI-based detection allows the FortiGate to identify and block unknown malware by using machine learning techniques, offering advanced protection against emerging threats.

Enable Grayware Detection on Antivirus (Automated)

  • Remediation Steps (CLI):
 1. Run the following command to enable grayware detection:
    
    config antivirus settings
    set grayware enable
    end
  • Explanation: Enabling grayware detection helps identify and block potentially unwanted applications (PUAs) and other suspicious software that may not be malicious but could pose a security risk.

DNS Filter

Enable Botnet C&C Domain Blocking DNS Filter (Automated)

  • Remediation Steps:
 1. Go to Security Profiles > DNS Filter.
 2. Ensure that Redirect botnet C&C requests to Block portal is enabled.
 3. Ensure that policies allowing DNS traffic apply a DNS Filter security profile.
  • Explanation: Enabling botnet C&C domain blocking helps prevent devices from connecting to botnet command-and-control servers, reducing the risk of your network becoming part of a botnet.

Ensure DNS Filter Logs All DNS Queries and Responses (Manual)

  • Remediation Steps:
 1. Go to Security Profiles > DNS Filter.
 2. Ensure that DNS logging is enabled for all DNS queries and responses.
  • Explanation: Logging all DNS queries and responses allows you to monitor DNS traffic for suspicious activity, such as queries to known malicious domains.

Application Control

Block High-Risk Categories on Application Control (Manual)

  • Remediation Steps:
 1. Go to Security Profiles > Application Control.
 2. Select the App Control profile.
 3. Block high-risk application categories, such as P2P, social media, and games, based on your organization's security policies.
  • Explanation: Blocking high-risk categories helps reduce the likelihood of your network being compromised through unwanted or malicious applications.

Block Applications Running on Non-Default Ports (Automated)

  • Remediation Steps:
 1. Go to Security Profiles > Application Control.
 2. Enable the option Block applications detected on non-default ports.
  • Explanation: Blocking applications running on non-default ports prevents attackers from bypassing security by running applications on unconventional ports.

Ensure All Application Control Related Traffic Are Logged (Manual)

  • Remediation Steps:
 1. Go to Security Profiles > Application Control.
 2. Ensure that logging is enabled for all traffic related to application control.
  • Explanation: Logging all application control-related traffic ensures that any application-related threats are properly tracked and investigated.

Security Fabric

Enable Compromised Host Quarantine (Automated)

  • Remediation Steps:
 1. Go to Security Fabric > Automation.
 2. Enable the Compromised Host Quarantine feature.
  • Explanation:Enabling compromised host quarantine isolates infected devices from the rest of the network to prevent further spread of the infection.

Ensure Security Fabric is Configured (Automated)

  • Remediation Steps:
 1. Go to Security Fabric > Fabric Connectors.
 2. Ensure that the root FortiGate is enabled with the role set to Serve as Fabric Root.
 3. Verify FortiAnalyzer settings are correct and that interfaces are selected to allow other Security Fabric devices to join.
  • Explanation: Configuring the root FortiGate within the Security Fabric ensures centralized management of security across the network, providing better visibility and control.

VPN

Apply a Trusted Signed Certificate for VPN Portal (Manual)

Remediation Steps: 

 1. Import a signed certificate from a trusted CA by going to System > Certificates > Import.
 2. Assign the certificate to the SSL VPN portal by going to VPN - SSL-VPN Settings and selecting the appropriate certificate.
  • Explanation : Using a trusted signed certificate for the VPN portal ensures secure and trusted connections to the VPN, reducing the risk of man-in-the-middle attacks.

Enable Limited TLS Versions for SSL VPN (Manual)

  • Remediation Steps (CLI):
 1. Run the following commands to limit the TLS versions:
    
    config vpn ssl settings
    set ssl-max-prot-ver TLSv1_2
    set ssl-min-proto-ver TLSv1_2
    end
  • Explanation: Limiting SSL VPN to only support secure TLS versions (e.g., TLS 1.2) helps mitigate vulnerabilities associated with older, insecure protocols.

Users and Authentication

Configuring the Maximum Login Attempts and Lockout Period (Automated)

  • Remediation Steps (CLI):
 1. Run the following commands to configure login attempts and lockout period:
    
    config user setting
    set auth-lockout-threshold 5
    set auth-lockout-duration 300
    end
  • Explanation: Setting a maximum login attempt threshold and lockout period helps protect against brute-force attacks by locking out accounts after a set number of failed login attempts.

Logs and Reports

Enable Event Logging (Automated)

  • Remediation Steps (CLI):
 1. Run the following command to enable event logging:
    
    config log eventfilter
    set event enable
    end
  • Explanation: Enabling event logging ensures that all significant events are logged, making it easier to track and respond to security incidents.

Encrypt Log Transmission to FortiAnalyzer / FortiManager (Automated)

  • Remediation Steps:
 1. Go to Log & Report > Log Settings.
 2. When configuring remote logging to FortiAnalyzer/FortiManager, select Encrypt log transmission.
  • Explanation: Encrypting log transmission ensures that log data is securely transmitted, preventing unauthorized access to sensitive log information.

Centralized Logging and Reporting (Automated)

  • Remediation Steps:
 1. Go to Log & Report > Log Settings.
 2. Under Remote Logging and Archiving, configure a remote server to send logs to.
  • Explanation: Centralized logging allows for better monitoring and analysis of security events across multiple devices, enhancing the overall security posture of your organization.

Home > Enterprise security devices or applications > Fortigate firewall > Fortinet firewall CIS Hardening

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Fortinet_firewall_CIS_Hardening&oldid=8261"