Fortinet FortiGate Firewall Configuration: Best Practices and Tips

Introduction

Configuring a firewall is a critical aspect of network security, and the Fortinet FortiGate Firewall stands as one of the most robust solutions available. Known for its comprehensive security features and high performance, FortiGate firewalls are trusted by organizations worldwide to protect their digital environments.

Importance of Proper Configuration

Proper configuration of a firewall is essential to ensure that it effectively protects an organization's network from threats. Misconfigurations can lead to vulnerabilities, making the network susceptible to attacks. Therefore, following best practices in firewall configuration helps maintain a strong security posture.

Complementing firewall configurations with third-party risk management solutions further enhances network security. Responsible Cyber, a leading provider of cybersecurity and risk management solutions, offers insights into how their innovative platforms like RiskImmune can protect organizations from internal and external threats. These solutions work in tandem with robust firewall configurations such as those provided by Fortinet FortiGate Firewalls.

Understanding these foundational elements sets the stage for delving deeper into specific best practices and actionable tips for configuring your Fortinet FortiGate Firewall.

1. Policy Configuration

Policy Configuration is a fundamental aspect of managing your Fortinet FortiGate firewall. It involves defining rules that dictate how traffic should be handled, ensuring that only legitimate traffic is allowed while malicious or unwanted traffic is blocked.

Advantages of Using a "Deny by Default" Policy Rule Base

Implementing a deny by default policy rule base offers several advantages:

• Enhanced Security: By default, all traffic is blocked unless explicitly allowed, reducing the risk of unauthorized access and potential security breaches.
• Controlled Traffic Flow: This approach ensures that only necessary services and applications are accessible, minimizing the attack surface.
• Compliance with Regulations: Many regulatory frameworks recommend or require a deny by default stance, aiding in compliance efforts.

How to Implement a "Deny by Default" Policy Rule Base

To implement a deny by default policy rule base on your FortiGate firewall, follow these steps:

1. Create Explicit Allow Policies:
   • Define rules that specify the allowed traffic based on criteria such as source/destination IP addresses, ports, and protocols.
   • Example: Allow HTTP/HTTPS traffic from trusted internal networks to specific web servers.
2. Set the Default Action to Deny:
   • Ensure that any traffic not matching an explicit allow policy is automatically denied.
   • Navigate to Policy & Objects > IPv4 Policy > Create New, and set the policy action to "DENY" for unspecified traffic.
3. Regularly Review and Update Policies:
   • Periodically review the policies to ensure they align with current security requirements and organizational needs.
   • Remove outdated or unnecessary rules to maintain clarity and effectiveness.

For more detailed guidance on implementing robust cybersecurity measures, you can refer to resources such as this article on navigating USA Federal and State Regulations for Third-Party Risk Management or this guide on implementing the NIST framework for enhanced third-party cybersecurity compliance.

Properly configuring your firewall's policy rule base forms the foundation of a secure network environment.

2. Planning Policy Configuration Changes

Planning policy configuration changes during low usage periods is crucial for maintaining the stability and performance of your Fortinet FortiGate firewall. Low usage periods typically involve times when network activity is at its minimum, such as late nights or weekends. Implementing changes during these windows ensures that any potential disruptions have minimal impact on business operations.

Making policy changes during high traffic periods can lead to increased CPU usage and a significant impact on established sessions. When CPU resources are strained, it can degrade the performance of the firewall, potentially leading to slower network speeds or even downtime. This makes careful planning essential.

Steps to Minimize Impact:

1. Identify Low Usage Periods:
   • Analyze network traffic patterns to determine the best times for making changes.
   • Utilize monitoring tools to gather data on peak and low traffic times.
2. Stage Changes:
   • Break down large changes into smaller, manageable stages.
   • Apply incremental updates rather than a single extensive modification.
3. Test in a Controlled Environment:
   • Use a test environment that mirrors your production setup.
   • Validate changes in this controlled setting before applying them live.
4. Monitor Performance Post-Implementation:
   • Closely monitor CPU and session metrics after making changes.
   • Ensure there are no unexpected spikes in resource usage.
5. Have a Rollback Plan:
   • Prepare a contingency plan to revert changes if issues arise.
   • Document all configurations and maintain backups for quick recovery.

For additional insights into efficient planning and minimizing risks, Dr. Magda Lilia Chelly, an award-winning global cybersecurity leader and one of the top 20 most influential personalities in the field, offers valuable resources and advice on cybersecurity best practices. Exploring her expertise can provide further strategies tailored to your specific needs.

Furthermore, Risk Immune's blog is another excellent resource that delves into cybersecurity challenges and offers insights on efficient planning and risk mitigation strategies.

Implementing these strategies helps ensure that your firewall configuration remains robust without adversely affecting network performance or user experience.

3. De-accelerating Hardware-Accelerated Sessions

Hardware-accelerated sessions on Fortinet FortiGate firewalls use specialized hardware components to improve performance by offloading certain tasks from the CPU. These components, like Network Processing Units (NPUs), can handle data plane traffic more efficiently, which reduces delay and increases throughput. While this speed boost is helpful in normal situations, it can create issues when making changes to policy configurations.

Managing Policy Configuration Changes Using CLI Commands

To make policy configuration changes without causing disruptions or compromising system stability, it's important to de-accelerate hardware-accelerated sessions. This can be done effectively using Command Line Interface (CLI) commands.

Here's how you can temporarily disable hardware acceleration:

shell config system npu set npu-offload disable end

This command sequence turns off NPU offloading, ensuring that all traffic is processed by the firewall's CPU during configuration changes. Once you've made the necessary adjustments, you can re-enable hardware acceleration with the following commands:

shell config system npu set npu-offload enable end

By utilizing these CLI commands, administrators can smoothly handle policy changes without sacrificing performance or compromising security.

Note: It's important to note that these CLI commands are specific to Fortinet FortiGate firewalls and may not be applicable to other devices or platforms.

For more information on managing third-party risks and understanding risk management principles related to cybersecurity, you may find these resources helpful:

• Global Guide to Third Party Risk Management: Key Standards and Regulations in 2024
• Understanding TPRM

4. Policy Allowlisting

Proper policy allowlisting is a fundamental aspect of firewall configuration. It ensures that only necessary inbound and outbound traffic is permitted, significantly enhancing the security posture of your network.

Importance of Allowing Only Necessary Inbound/Outbound Traffic

A well-configured firewall should adopt a principle of least privilege. This means allowing only essential traffic while blocking everything else by default. By restricting unnecessary traffic, you mitigate the risk of unauthorized access and potential security breaches. Implementing this principle can help safeguard sensitive data and maintain network integrity.

Limiting Traffic to Specific Addresses/Subnets

To implement effective policy allowlisting, it’s crucial to limit traffic to specific IP addresses or subnets. This targeted approach helps in minimizing the attack surface by ensuring that only trusted sources can communicate with your network. For example:

• Inbound Traffic: Permit connections only from known IP ranges that are required for business operations.
• Outbound Traffic: Restrict outbound communications to necessary destinations, such as specific servers or services on the internet.

This strategy not only enhances security but also improves network performance by reducing unnecessary load.

By focusing on policy allowlisting, you create a robust defense mechanism that proactively blocks unauthorized access and minimizes potential vulnerabilities.

5. IPS Signatures for Public Services

Setting up Intrusion Prevention System (IPS) signatures is crucial in protecting public-facing services from known threats. By implementing IPS signatures, you can proactively block malicious activities before they compromise your network.

Steps to Set Up IPS:

1. Identify Critical Services: Determine which services are publicly accessible and thus most vulnerable to attacks.
2. Select Relevant IPS Signatures: Choose IPS signatures that correlate with the services identified. For instance, if you are running a web server, ensure you have signatures for common web-based attacks such as SQL injection and cross-site scripting (XSS).
3. Configure IPS Policies:
   • Navigate to Security Profiles > Intrusion Prevention.
   • Create a new profile or edit an existing one.
   • Add the selected signatures to this profile.
4. Apply IPS Profiles to Firewall Policies:
   • Go to Policy & Objects > IPv4 Policy.
   • Edit the policy that governs traffic to your public service.
   • Under Security Profiles, enable IPS and select the profile configured earlier.

Benefits of Blocking Signatures:

• Enhanced Security: Block known malicious patterns that target vulnerabilities in public services.
• Reduced False Positives: Tailoring IPS profiles ensures that only relevant threats are flagged, minimizing interruptions to legitimate traffic.
• Proactive Defense: Preemptively stops potential breaches by addressing vulnerabilities before they are exploited.

By integrating tailored IPS signatures into your FortiGate firewall configuration, you bolster your defenses against specific threats targeting your public-facing services.

6. Configuring DoS Policies

Configuring DoS policies is crucial in safeguarding your network from denial-of-service attacks that can overwhelm resources and disrupt services. One of the key aspects of configuring these policies is setting thresholds for maximum normal traffic. These thresholds help detect and mitigate unusual spikes in traffic, ensuring that legitimate traffic isn't affected while malicious activity is blocked.

Setting thresholds for maximum normal traffic in DoS policies:

• Analyze Baseline Traffic: Before setting thresholds, it's vital to understand your network's baseline traffic patterns. Use historical data to create a benchmark.
• Define Thresholds: Based on the baseline, configure thresholds that accommodate normal variations in traffic without being too restrictive. For example, if your average inbound traffic is 500 Mbps, you might set the threshold at 700 Mbps to account for occasional spikes.
• Adjust Regularly: Traffic patterns can change due to business growth or seasonal variations. Regularly review and adjust thresholds to ensure they remain effective.

Enabling ASIC DoS offloading using NP6 ASICs:

Fortinet FortiGate firewalls equipped with NP6 ASICs provide hardware acceleration for DoS mitigation. This offloading significantly enhances performance by processing packets at the hardware level instead of the CPU.

• Enable ASIC Offloading: In the FortiGate's CLI, use commands like config firewall dos-policy to enable ASIC offloading. This ensures high-speed packet processing and reduces CPU load.
• Monitor Performance: Even with ASIC offloading, continuously monitor your system's performance and fine-tune settings as needed.

By effectively configuring DoS policies and leveraging NP6 ASICs for offloading, you can robustly protect your network against disruptive attacks while maintaining optimal performance.

7. Secure Configuration File

Securing the configuration file is crucial for maintaining the integrity and security of your Fortinet FortiGate firewall. A compromised configuration file can expose sensitive data and network vulnerabilities.

Enabling Encryption and Storing in a Secure Location

• Encryption: Ensure that the configuration file is encrypted to prevent unauthorized access. Use robust encryption algorithms to safeguard the data.
• Secure Storage: Store the encrypted configuration file in a secure location, such as a dedicated secure server or an encrypted storage device. Avoid storing it on shared drives or locations accessible by unauthorized personnel.

Best Practices for Sharing the Configuration File

When sharing the configuration file:

• Share Only Necessary Sections: Avoid sharing the entire configuration file. Share only the necessary sections relevant to the task at hand.
• Use Password Masking: Implement password masking techniques to hide sensitive information within the configuration file.
• Secure Transfer Methods: Always use secure methods for transferring the configuration file, such as encrypted email or secure file transfer protocols (SFTP).

Following these practices helps ensure that your configuration file remains secure, reducing potential risks associated with unauthorized access and data breaches.

8. Firmware Management

Keeping your FortiOS firmware up to date is crucial for maintaining the security and performance of your Fortinet FortiGate firewall. Regular firmware updates address vulnerabilities, improve speed, and introduce new features that are essential for strong network protection.

Why It's Important to Update FortiOS Firmware

Updating firmware regularly helps fix security issues that attackers could exploit. It also ensures that your firewall works well with other network devices and remains stable.

Understanding Release Notes

Before installing any firmware update, it's important to read the release notes. These notes provide detailed information about new features, bug fixes, and known problems. They help you understand what changes are being made and how they might affect your current setup.

Avoiding Unsupported Firmware

Using firmware versions that are not supported can put your network at risk unnecessarily. Always make sure that the firmware you're about to install is supported by Fortinet and works with your hardware model. Unsupported versions may not have important security patches and updates.

Enabling Automatic Firmware Updates

To make updating easier, you can turn on automatic firmware updates. This feature will automatically keep your firewall's software up to date without needing you to do it manually. It lowers the chances of using outdated software, which can be risky. Just remember to set up automatic updates within the same major release version patch to avoid possible compatibility problems.

By paying attention to these areas of firmware management, you can greatly enhance the security and efficiency of your Fortinet FortiGate firewall.

Additional Security Measures for Fortinet FortiGate Firewall Configuration

Implementing comprehensive security measures is crucial to maintaining the integrity and performance of your FortiGate firewall. Here are some essential practices:

Regularly Updating FortiGuard Databases

FortiGuard databases, including Antivirus (AV), Intrusion Prevention System (IPS), and Application Control (AS), need frequent updates to protect against evolving threats. Regular updates ensure your firewall has the latest signatures and definitions to detect and mitigate new vulnerabilities.

Conducting Penetration Testing

Regular penetration testing identifies potential weaknesses in your firewall configuration. Engaging a professional cybersecurity firm can provide an objective evaluation of your defenses. This proactive approach helps reveal gaps that automated tools might miss, allowing you to strengthen your overall security posture.

Implementing DoS Policies

Denial-of-Service (DoS) policies prevent unauthorized traffic from overwhelming your network. Setting appropriate thresholds for normal traffic patterns and enabling ASIC DoS offloading using NP6 ASICs ensures that legitimate traffic flows smoothly while malicious attempts are thwarted. This mitigates risks associated with network disruptions and service outages.

Adopting these additional security measures enhances the resilience of your FortiGate firewall, ensuring robust protection against a wide array of cyber threats.

Ensuring Strong Access Controls through Password and Private Key Security

Password and Private Key Security is essential for a strong Fortinet FortiGate firewall configuration. Encrypting passwords and private keys is crucial to protect sensitive information from unauthorized access and potential breaches.

Key Practices:

• Encrypt Passwords and Private Keys: Make sure all passwords and private keys are encrypted to prevent unauthorized access. Encryption converts readable data into an unreadable format, making it difficult for cybercriminals to exploit.
• Utilize Predefined Private Keys: Use predefined private keys for encryption processes. This adds an extra layer of security by ensuring only authenticated users can decrypt the information.
• Hash System Admin Passwords with SHA256: Hashing is another method to secure passwords. By hashing system admin passwords with SHA256, you convert them into fixed-size strings that are nearly impossible to reverse-engineer. SHA256 is known for its strength against brute-force attacks, providing a high level of security.

These practices not only enhance security but also ensure compliance with industry standards and regulations, thereby strengthening your network against cyber threats.

Conclusion

Maintaining a secure configuration for your Fortinet FortiGate Firewall is essential to safeguard your network. By following these best practices and tips:

• Implementing a "deny" by default policy rule base
• Planning policy changes during low usage periods
• Securing configuration files

you can significantly enhance your firewall's security. Regular updates to FortiGuard databases and firmware, along with strong access controls, will ensure that your firewall stays strong against new threats. Prioritizing these strategies will help you achieve a robust and reliable Fortinet FortiGate Firewall configuration.

FAQs (Frequently Asked Questions)

What is the importance of configuring a firewall properly?

Configuring a firewall properly is crucial for ensuring the security of the network. It helps in controlling and monitoring incoming and outgoing network traffic based on predetermined security rules, preventing unauthorized access and potential threats.

What are the advantages of using a 'deny' by default policy rule base?

Using a 'deny' by default policy rule base ensures that all traffic is blocked by default unless specifically allowed. This approach provides an additional layer of security by minimizing the risk of unauthorized access or malicious activities.

How can one implement a 'deny' by default policy rule base?

To implement a 'deny' by default policy rule base, one needs to configure firewall rules that explicitly deny all traffic by default. Then, specific rules should be added to allow desired traffic based on organizational requirements.

Why is it important to plan policy configuration changes during low usage periods?

Planning policy configuration changes during low usage periods minimizes disruption to ongoing operations and reduces the impact on CPU usage and established sessions. It helps in maintaining network stability while implementing necessary changes.

What are hardware-accelerated sessions, and how can they be managed using CLI commands?

Hardware-accelerated sessions utilize specialized hardware for processing network traffic at high speeds. These sessions can be managed using CLI commands to make policy configuration changes, ensuring efficient utilization of hardware resources.

Why is it important to allow only necessary inbound/outbound traffic and limit traffic to specific addresses/subnets?

Allowing only necessary inbound/outbound traffic and limiting traffic to specific addresses/subnets reduces the attack surface and minimizes the risk of unauthorized access or data breaches. It enhances overall network security.

How can IPS be set up to block signatures associated with public-facing services?

IPS can be set up to block signatures associated with public-facing services by configuring IPS policies to detect and block known threats based on predefined signatures. This preemptive measure helps in stopping potential threats before they can exploit vulnerabilities.

What are some best practices for securing the configuration file of Fortinet FortiGate firewall?

Securing the configuration file involves enabling encryption and storing it in a secure location with restricted access. It is also important to follow best practices for sharing the configuration file to prevent unauthorized access or misuse of sensitive information.

Why is it important to keep FortiOS firmware up to date, review release notes, and avoid unsupported firmware?

Keeping FortiOS firmware up to date is crucial for addressing security vulnerabilities, improving performance, and accessing new features. Reviewing release notes helps in understanding the changes, while avoiding unsupported firmware ensures compatibility and support from the manufacturer.

What additional security measures can be implemented for Fortinet FortiGate firewall configuration?

Additional security measures include regularly updating FortiGuard databases (AS, IPS, AV) to stay protected against emerging threats, conducting penetration testing or hiring a company to verify security measures, and implementing DoS policies to mitigate denial-of-service attacks.

Why is it important to ensure strong access controls through password and private key security?

Ensuring strong access controls through password and private key security helps in preventing unauthorized access and protecting sensitive information. Encrypting passwords, using predefined private keys, and hashing system admin passwords with SHA256 enhances overall security.