Security
This section lists tips to further enhance security.
Topology
- Virtual servers can be on the same subnet as physical servers. This configuration creates a one-arm load balancer.
For example, the virtual server 10.0.0.2/24 could forward to the physical server 10.0.0.3-200.
If you are deploying gradually, you might want to initially install your FortiADC in a one-arm topology during the transition phase, and route traffic to it only after you have configured FortiADC to handle it.
Long term, this is not recommended. Unless your network’s routing configuration prevents it, it could allow clients that are aware of the physical server’s IP address to bypass the FortiADC appliance by accessing the physical server directly. - Make sure web traffic cannot bypass the FortiADC appliance in a complex network environment.
- FortiADC appliances are not general-purpose firewalls. While they are security-hardened network appliances, security is not their primary purpose, and you should not allow to traffic pass through without inspection. FortiADC and FortiGate complement each other to improve security, availability, and performance.To protect your servers, install the FortiADC appliance or appliances between the servers and a general purpose firewall such as a FortiGate. FortiADC complements, and does not replace, general purpose firewalls.
- Disable all network interfaces that should not receive any traffic.
For example, if administrative access is typically through port1, the Internet is connected to port2, and servers are connected to port3, you would disable (“bring down”) port4. This would prevent an attacker with physical access from connecting a cable to port4 and thereby gaining access if the configuration inadvertently allows it.
Administrator access
- As soon as possible during initial setup, give the default administrator,
admin
, a password. This super-administrator account has the highest level of permissions possible, and access to it should be limited to as few people as possible. - Change all administrator passwords regularly. Set a policy—such as every 60 days—and follow it. (Mark the Change Password check box to reveal the password dialog.)
- Instead of allowing administrative access from any source, restrict it to trusted internal hosts. On those computers that you have designated for management, apply strict patch and security policies. Always password-encrypt any configuration backup that you download to those computers to mitigate the information that attackers can gain from any potential compromise.
- Do not use the default administrator access profile for all new administrators. Create one or more access profiles with limited permissions tailored to the responsibilities of the new administrator accounts.
- By default, an administrator login that is idle for more than 30 minutes times out. You can change this to a longer period in Timeout, but Fortinet does not recommend it. Left unattended, a web UI or CLI session could allow anyone with physical access to your computer to change system settings. Small idle timeouts mitigate this risk.
- Administrator passwords should be at least 8 characters long and include both numbers and letters.
- Restrict administrative access to a single network interface (usually port1), and allow only the management access protocols needed.
- Use only the most secure protocols. Disable ping, except during troubleshooting. Disable HTTP, SNMP, and Telnet unless the network interface only connects to a trusted, private administrative network.
- Disable all network interfaces that should not receive any traffic.
- For example, if administrative access is typically through port1, the Internet is connected to port2, and servers are connected to port3, you would disable (“bring down”) port4. This would prevent an attacker with physical access from connecting a cable to port4 and thereby gaining access if the configuration inadvertently allows it.
- Immediately revoke certificates that have been compromised. If possible, automate the distribution of certificate revocation lists.