Fortinet black logo

Building security into FortiOS

Copy Link
Copy Doc ID 9878a9dc-a99a-11e9-81a4-00505692583a:995103
Download PDF

Building security into FortiOS

The FortiOS operating system, FortiGate hardware devices, and FortiGate virtual machines (VMs) are built with security in mind, so many security features are built into the hardware and software. Fortinet maintains an ISO:9001 certified software and hardware development processes to ensure that FortiOS and FortiGate products are developed in a secure manner

Boot PROM and BIOS security

The boot PROM and BIOS in FortiGate hardware devices use Fortinet's own FortiBootLoader that is designed and controlled by Fortinet. FortiBootLoader is a secure, proprietary BIOS for all FortiGate appliances. FortiGate physical devices always boot from FortiBootLoader.

FortiOS kernel and user processes

FortiOS is a multi-process operating system with kernel and user processes. The FortiOS kernel runs in a privileged hardware mode while higher-level applications run in user mode. FortiOS is a closed system that does not allow the loading or execution of third-party code in the FortiOS user space. All non-essential services, packages, and applications are removed.

Administration access security

This section describes FortiOS and FortiGate administration access security features.

As the first step on a new deployment, review default settings such as administrator passwords, certificates for GUI and SSL VPN access, SSH keys, open administrative ports on interfaces, and default firewall policies. As soon as the FortiGate is connected to the internet it is exposed to external risks, such as unauthorized access, man-in-the-middle attacks, spoofing, DoS attacks, and other malicious activities from malicious actors. Either use the start up wizard or manually reconfigure the default settings to tighten your security from the beginning, thereby securing your network to its full potential.

Admin administrator account

All FortiGate firewalls ship with a default administrator account called admin. By default, this account does not have a password, except for FortiGate VMs on public clouds. FortiOS allows administrators to add a password for this account or to remove the account and create new custom super_admin administrator accounts.

For more information, see Rename the admin administrator account.

Secure password storage

Passwords are encrypted when stored on the FortiGate, and encoded when displayed in the CLI and configuration file.

To enhance your password security, you can specify your own private key for the encryption process. This ensures that your key is unique. The key is also required to restore the system from a configuration file. In HA clusters, the same key should be used on all of the units.

To enable and enter your own private encryption key:
config system global
    set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef
Your private data encryption key is accepted.
Note

This is an example. Using 0123456789abcdef0123456789abcdef as your private key is not recommended.

Maintainer account

Administrators with physical access to a FortiGate appliance can use a console cable and a special administrator account called maintainer to log into the CLI. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password for the maintainer account is bcpb followed by the FortiGate serial number. An administrator has 60-seconds to complete this login. See the Fortinet knowledge base or Resetting a lost Admin password for details.

The only action the maintainer account has permissions to perform is to reset the passwords of super_admin accounts. Logging in with the maintainer account requires a hard boot of the FortiGate. FortiOS generates event log messages when you log in with the maintainer account and for each password reset.

The maintainer account is enabled by default; however, there is an option to disable this feature. The maintainer account can be disabled using the following command:

config system global

set admin-maintainer disable

end

caution icon If you disable this feature and lose your administrator passwords you will no longer be able to log into your FortiGate.

Administrative access security

Secure administrative access features:

  • SSH, Telnet, and SNMP are disabled by default. If required, these admin services must be explicitly enabled on each interface from the GUI or CLI.
  • SSHv1 is disabled by default. SSHv2 is the default version.
  • SSLv3 and TLS1.0 are disabled by default. TLSv1.1 and TLSv1.2 are the SSL versions enabled by default for HTTPS admin access.
  • HTTP is disabled by default, except on dedicated MGMT, DMZ, and predefined LAN interfaces. HTTP redirect to HTTPS is enabled by default.
  • The strong-crypto global setting is enabled by default and configures FortiOS to use strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.
  • SCP is disabled by default. Enabling SCP allows downloading the configuration file from the FortiGate as an alternative method of backing up the configuration file. To enable SCP:

config system global

set admin-scp enable

end

  • DHCP is enabled by default on the dedicated MGMT interface and on the predefined LAN port (defined on some FortiGate models).
  • The default management access configuration for FortiGate models with dedicated MGMT, DMZ, WAN, and LAN interfaces is shown below. Outside of the interfaces listed below, management access must be explicitly enabled on interfaces – management services are enabled on specific interfaces and not globally.
    • Dedicated management interface
      • Ping
      • FMG-Access (fgfm)
      • CAPWAP
      • HTTPS
      • HTTP
    • Dedicated WAN1/WAN2 interface
      • Ping
      • FMG-Access (fgfm)
    • Dedicated DMZ interface
      • Ping
      • FMG-Access (fgfm)
      • CAPWAP
      • HTTPS
      • HTTP
    • Dedicated LAN interface
      • Ping
      • FMG-Access (fgfm)
      • CAPWAP
      • HTTPS
      • HTTP

Non-factory SSL certificates

Non-factory SSL certificates should be used for the administrator and SSL VPN portals. Your certificate should identify your domain so that remote users can recognize the identity of the server or portal that they are accessing through a trusted CA.

The default Fortinet factory self-signed certificates are provided to simplify initial installation and testing. Using these certificates leaves you vulnerable to man-in-the-middle attacks, where an attacker spoofs your certificate, compromises your connection, and steals your personal information.

It is highly recommended that you purchase a server certificate from a trusted CA to allow remote users to connect to SSL VPN with confidence. Your administrator web portal should also be configured with a server certificate from a trusted CA.

Network security

This section describes FortiOS and FortiGate network security features.

Network interfaces

The following are disabled by default on each FortiGate interface:

  • Broadcast forwarding
  • STP forwarding
  • VLAN forwarding
  • L2 forwarding
  • Netbios forwarding
  • Ident accept

For more information, see Disable unused protocols on interfaces.

TCP sequence checking

FortiOS uses TCP sequence checking to ensure a packet is part of a TCP session. By default, anti-replay protection is strict, which means that if a packet is received with sequence numbers that fall out of the expected range, FortiOS drops the packet. Strict anti-replay checking performs packet sequence checking and ICMP anti-replay checking with the following criteria:

  • The SYN, FIN, and RST bit cannot appear in the same packet.
  • FortiOS does not allow more than 1 ICMP error packet to go through before it receives a normal TCP or UDP packet.
  • If FortiOS receives an RST packet, FortiOS checks to determine if its sequence number in the RST is within the un-ACKed data and drops the packet if the sequence number is incorrect.
  • For each new session, FortiOS checks to determine if the TCP sequence number in a SYN packet has been calculated correctly and started from the correct value.

Reverse path forwarding

FortiOS implements a mechanism called Reverse Path Forwarding (RPF), or Anti Spoofing, to block an IP packet from being forwarded if its source IP does not:

  • belong to a locally attached subnet (local interface), or
  • be in the routing domain of the FortiGate from another source (static route, RIP, OSPF, BGP).

If those conditions are not met, FortiOS silently drops the packet.

FIPS and Common Criteria

FortiOS has received NDPP, EAL2+, and EAL4+ based FIPS and Common Criteria certifications. Common Criteria evaluations involve formal rigorous analysis and testing to examine security aspects of a product or system. Extensive testing activities involve a comprehensive and formally repeatable process, confirming that the security product functions as claimed by the manufacturer. Security weaknesses and potential vulnerabilities are specifically examined during an evaluation.

To see Fortinet's complete history of FIPS/CC certifications go to the following URL and add Fortinet to the Vendor field:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search

PSIRT advisories

The FortiGuard Labs Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. Any such findings are fed back to Fortinet's development teams and serious issues are described along with protective solutions. The PSIRT regulatory releases PSIRT advisories when issues are found and corrected. Advisories are listed at https://www.fortiguard.com/psirt.

Building security into FortiOS

The FortiOS operating system, FortiGate hardware devices, and FortiGate virtual machines (VMs) are built with security in mind, so many security features are built into the hardware and software. Fortinet maintains an ISO:9001 certified software and hardware development processes to ensure that FortiOS and FortiGate products are developed in a secure manner

Boot PROM and BIOS security

The boot PROM and BIOS in FortiGate hardware devices use Fortinet's own FortiBootLoader that is designed and controlled by Fortinet. FortiBootLoader is a secure, proprietary BIOS for all FortiGate appliances. FortiGate physical devices always boot from FortiBootLoader.

FortiOS kernel and user processes

FortiOS is a multi-process operating system with kernel and user processes. The FortiOS kernel runs in a privileged hardware mode while higher-level applications run in user mode. FortiOS is a closed system that does not allow the loading or execution of third-party code in the FortiOS user space. All non-essential services, packages, and applications are removed.

Administration access security

This section describes FortiOS and FortiGate administration access security features.

As the first step on a new deployment, review default settings such as administrator passwords, certificates for GUI and SSL VPN access, SSH keys, open administrative ports on interfaces, and default firewall policies. As soon as the FortiGate is connected to the internet it is exposed to external risks, such as unauthorized access, man-in-the-middle attacks, spoofing, DoS attacks, and other malicious activities from malicious actors. Either use the start up wizard or manually reconfigure the default settings to tighten your security from the beginning, thereby securing your network to its full potential.

Admin administrator account

All FortiGate firewalls ship with a default administrator account called admin. By default, this account does not have a password, except for FortiGate VMs on public clouds. FortiOS allows administrators to add a password for this account or to remove the account and create new custom super_admin administrator accounts.

For more information, see Rename the admin administrator account.

Secure password storage

Passwords are encrypted when stored on the FortiGate, and encoded when displayed in the CLI and configuration file.

To enhance your password security, you can specify your own private key for the encryption process. This ensures that your key is unique. The key is also required to restore the system from a configuration file. In HA clusters, the same key should be used on all of the units.

To enable and enter your own private encryption key:
config system global
    set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef
Your private data encryption key is accepted.
Note

This is an example. Using 0123456789abcdef0123456789abcdef as your private key is not recommended.

Maintainer account

Administrators with physical access to a FortiGate appliance can use a console cable and a special administrator account called maintainer to log into the CLI. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password for the maintainer account is bcpb followed by the FortiGate serial number. An administrator has 60-seconds to complete this login. See the Fortinet knowledge base or Resetting a lost Admin password for details.

The only action the maintainer account has permissions to perform is to reset the passwords of super_admin accounts. Logging in with the maintainer account requires a hard boot of the FortiGate. FortiOS generates event log messages when you log in with the maintainer account and for each password reset.

The maintainer account is enabled by default; however, there is an option to disable this feature. The maintainer account can be disabled using the following command:

config system global

set admin-maintainer disable

end

caution icon If you disable this feature and lose your administrator passwords you will no longer be able to log into your FortiGate.

Administrative access security

Secure administrative access features:

  • SSH, Telnet, and SNMP are disabled by default. If required, these admin services must be explicitly enabled on each interface from the GUI or CLI.
  • SSHv1 is disabled by default. SSHv2 is the default version.
  • SSLv3 and TLS1.0 are disabled by default. TLSv1.1 and TLSv1.2 are the SSL versions enabled by default for HTTPS admin access.
  • HTTP is disabled by default, except on dedicated MGMT, DMZ, and predefined LAN interfaces. HTTP redirect to HTTPS is enabled by default.
  • The strong-crypto global setting is enabled by default and configures FortiOS to use strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.
  • SCP is disabled by default. Enabling SCP allows downloading the configuration file from the FortiGate as an alternative method of backing up the configuration file. To enable SCP:

config system global

set admin-scp enable

end

  • DHCP is enabled by default on the dedicated MGMT interface and on the predefined LAN port (defined on some FortiGate models).
  • The default management access configuration for FortiGate models with dedicated MGMT, DMZ, WAN, and LAN interfaces is shown below. Outside of the interfaces listed below, management access must be explicitly enabled on interfaces – management services are enabled on specific interfaces and not globally.
    • Dedicated management interface
      • Ping
      • FMG-Access (fgfm)
      • CAPWAP
      • HTTPS
      • HTTP
    • Dedicated WAN1/WAN2 interface
      • Ping
      • FMG-Access (fgfm)
    • Dedicated DMZ interface
      • Ping
      • FMG-Access (fgfm)
      • CAPWAP
      • HTTPS
      • HTTP
    • Dedicated LAN interface
      • Ping
      • FMG-Access (fgfm)
      • CAPWAP
      • HTTPS
      • HTTP

Non-factory SSL certificates

Non-factory SSL certificates should be used for the administrator and SSL VPN portals. Your certificate should identify your domain so that remote users can recognize the identity of the server or portal that they are accessing through a trusted CA.

The default Fortinet factory self-signed certificates are provided to simplify initial installation and testing. Using these certificates leaves you vulnerable to man-in-the-middle attacks, where an attacker spoofs your certificate, compromises your connection, and steals your personal information.

It is highly recommended that you purchase a server certificate from a trusted CA to allow remote users to connect to SSL VPN with confidence. Your administrator web portal should also be configured with a server certificate from a trusted CA.

Network security

This section describes FortiOS and FortiGate network security features.

Network interfaces

The following are disabled by default on each FortiGate interface:

  • Broadcast forwarding
  • STP forwarding
  • VLAN forwarding
  • L2 forwarding
  • Netbios forwarding
  • Ident accept

For more information, see Disable unused protocols on interfaces.

TCP sequence checking

FortiOS uses TCP sequence checking to ensure a packet is part of a TCP session. By default, anti-replay protection is strict, which means that if a packet is received with sequence numbers that fall out of the expected range, FortiOS drops the packet. Strict anti-replay checking performs packet sequence checking and ICMP anti-replay checking with the following criteria:

  • The SYN, FIN, and RST bit cannot appear in the same packet.
  • FortiOS does not allow more than 1 ICMP error packet to go through before it receives a normal TCP or UDP packet.
  • If FortiOS receives an RST packet, FortiOS checks to determine if its sequence number in the RST is within the un-ACKed data and drops the packet if the sequence number is incorrect.
  • For each new session, FortiOS checks to determine if the TCP sequence number in a SYN packet has been calculated correctly and started from the correct value.

Reverse path forwarding

FortiOS implements a mechanism called Reverse Path Forwarding (RPF), or Anti Spoofing, to block an IP packet from being forwarded if its source IP does not:

  • belong to a locally attached subnet (local interface), or
  • be in the routing domain of the FortiGate from another source (static route, RIP, OSPF, BGP).

If those conditions are not met, FortiOS silently drops the packet.

FIPS and Common Criteria

FortiOS has received NDPP, EAL2+, and EAL4+ based FIPS and Common Criteria certifications. Common Criteria evaluations involve formal rigorous analysis and testing to examine security aspects of a product or system. Extensive testing activities involve a comprehensive and formally repeatable process, confirming that the security product functions as claimed by the manufacturer. Security weaknesses and potential vulnerabilities are specifically examined during an evaluation.

To see Fortinet's complete history of FIPS/CC certifications go to the following URL and add Fortinet to the Vendor field:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search

PSIRT advisories

The FortiGuard Labs Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. Any such findings are fed back to Fortinet's development teams and serious issues are described along with protective solutions. The PSIRT regulatory releases PSIRT advisories when issues are found and corrected. Advisories are listed at https://www.fortiguard.com/psirt.