Building security into FortiOS
The FortiOS operating system, FortiGate hardware devices, and FortiGate virtual machines (VMs) are built with security in mind, so many security features are built into the hardware and software. Fortinet maintains an ISO:9001 certified software and hardware development processes to ensure that FortiOS and FortiGate products are developed in a secure manner.
Boot PROM and BIOS security
The boot PROM and BIOS in FortiGate hardware devices use Fortinet's own FortiBootLoader that is designed and controlled by Fortinet. FortiBootLoader is a secure, proprietary BIOS for all FortiGate appliances. FortiGate physical devices always boot from FortiBootLoader.
FortiOS kernel and user processes
FortiOS is a multi-process operating system with kernel and user processes. The FortiOS kernel runs in a privileged hardware mode while higher-level applications run in user mode. FortiOS is a closed system that does not allow the loading or execution of third-party code in the FortiOS user space. All non-essential services, packages, and applications are removed.
Administration access security
This section describes FortiOS and FortiGate administration access security features.
As the first step on a new deployment, review default settings such as administrator passwords, certificates for GUI and SSL VPN access, SSH keys, open administrative ports on interfaces, and default firewall policies. As soon as the FortiGate is connected to the internet it is exposed to external risks, such as unauthorized access, man-in-the-middle attacks, spoofing, DoS attacks, and other malicious activities from malicious actors. Either use the start up wizard or manually reconfigure the default settings to tighten your security from the beginning, thereby securing your network to its full potential.
Admin administrator account
All FortiGate firewalls ship with a default administrator account called admin. By default, this account does not have a password, except for FortiGate VMs on public clouds. FortiOS allows administrators to add a password for this account or to remove the account and create new custom super_admin administrator accounts.
For more information, see Rename the admin administrator account.
Secure password storage
The passwords, and private keys used in certificates, that are stored on the FortiGate are encrypted using a predefined private key, and encoded when displayed in the CLI and configuration file. System admin passwords are hashed with SHA256 and encoded before being displayed.
Passwords cannot be decrypted without the private key and are not shown anywhere in clear text. The private key is required on other FortiGates to restore the system from a configuration file. In an HA cluster, the same key should be used on all of the units.
To enhance password security, specify a custom private key for the encryption process. This ensures that the key is only known by you.
FortiGate models with a Trusted Platform Module (TPM) can store the master encryption password, which is used to generate the master encryption key, on the TPM. For more information, see Trusted platform module support.
To configure your own private encryption key:
config system global set private-data-encryption enable end Please type your private data encryption key (32 hexadecimal numbers): ******************************** Please re-enter your private data encryption key (32 hexadecimal numbers) again: ******************************** Your private data encryption key is accepted.
Configuration backup
The FortiGate configuration file has important information that should always be kept secured, including details about your network, users, credentials, passwords, and keys. There are many reasons to back up your configuration, such as disaster recovery, preparing for migrating to another device, and troubleshooting. Evaluate the risk involved if your configurations were exposed, and manage your risk accordingly.
When backing up your configuration, consider the following steps to safeguard the file:
-
Enable Encryption when backing up the configuration.
-
Store the configuration file in a secure location.
-
Delete old configuration files that are no longer needed.
If a configuration file must be shared with a third party for auditing, troubleshooting, or any other reasons, consider only providing a section of the file and not the entire file. Otherwise, consider the following steps:
-
Enable Encryption when backing up the configuration and only share the password with the intended party.
-
Manually replace the passwords in the backed up configuration file.
-
Request that the configuration file be deleted after the intended purpose has been satisfied.
Maintainer account
Administrators with physical access to a FortiGate appliance can use a console cable and a special administrator account called maintainer to log into the CLI. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password for the maintainer account is bcpb followed by the FortiGate serial number. An administrator has 60-seconds to complete this login. See the Fortinet knowledge base or Resetting a lost Admin password for details.
The only action the maintainer account has permissions to perform is to reset the passwords of super_admin accounts. Logging in with the maintainer account requires a hard boot of the FortiGate. FortiOS generates event log messages when you log in with the maintainer account and for each password reset.
The maintainer account is enabled by default; however, there is an option to disable this feature. The maintainer account can be disabled using the following command:
config system global
set admin-maintainer disable
end
If you disable this feature and lose your administrator passwords you will no longer be able to log into your FortiGate. |
Administrative access security
Secure administrative access features:
- SSH, Telnet, and SNMP are disabled by default. If required, these admin services must be explicitly enabled on each interface from the GUI or CLI.
- SSHv1 is disabled by default. SSHv2 is the default version.
- SSLv3 and TLS1.0 are disabled by default. TLSv1.1 and TLSv1.2 are the SSL versions enabled by default for HTTPS admin access.
- HTTP is disabled by default, except on dedicated MGMT, DMZ, and predefined LAN interfaces. HTTP redirect to HTTPS is enabled by default.
- The
strong-crypto
global setting is enabled by default and configures FortiOS to use strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. - SCP is disabled by default. Enabling SCP allows downloading the configuration file from the FortiGate as an alternative method of backing up the configuration file. To enable SCP:
config system global
set admin-scp enable
end
- DHCP is enabled by default on the dedicated MGMT interface and on the predefined LAN port (defined on some FortiGate models).
- The default management access configuration for FortiGate models with dedicated MGMT, DMZ, WAN, and LAN interfaces is shown below. Outside of the interfaces listed below, management access must be explicitly enabled on interfaces – management services are enabled on specific interfaces and not globally.
- Dedicated management interface
- Ping
- FMG-Access (fgfm)
- CAPWAP
- HTTPS
- HTTP
- Dedicated WAN1/WAN2 interface
- Ping
- FMG-Access (fgfm)
- Dedicated DMZ interface
- Ping
- FMG-Access (fgfm)
- CAPWAP
- HTTPS
- HTTP
- Dedicated LAN interface
- Ping
- FMG-Access (fgfm)
- CAPWAP
- HTTPS
- HTTP
- Dedicated management interface
Non-factory SSL certificates
Non-factory SSL certificates should be used for the administrator and SSL VPN portals. Your certificate should identify your domain so that remote users can recognize the identity of the server or portal that they are accessing through a trusted CA.
The default Fortinet factory self-signed certificates are provided to simplify initial installation and testing. Using these certificates leaves you vulnerable to man-in-the-middle attacks, where an attacker spoofs your certificate, compromises your connection, and steals your personal information.
It is highly recommended that you purchase a server certificate from a trusted CA to allow remote users to connect to SSL VPN with confidence. Your administrator web portal should also be configured with a server certificate from a trusted CA. See Purchase and import a signed SSL certificate for information.
Network security
This section describes FortiOS and FortiGate network security features.
Network interfaces
The following are disabled by default on each FortiGate interface:
- Broadcast forwarding
- STP forwarding
- VLAN forwarding
- L2 forwarding
- Netbios forwarding
- Ident accept
For more information, see Disable unused protocols on interfaces.
TCP sequence checking
FortiOS uses TCP sequence checking to ensure a packet is part of a TCP session. By default, anti-replay protection is strict, which means that if a packet is received with sequence numbers that fall out of the expected range, FortiOS drops the packet. Strict anti-replay checking performs packet sequence checking and ICMP anti-replay checking with the following criteria:
- The SYN, FIN, and RST bit cannot appear in the same packet.
- FortiOS does not allow more than 1 ICMP error packet to go through before it receives a normal TCP or UDP packet.
- If FortiOS receives an RST packet, FortiOS checks to determine if its sequence number in the RST is within the un-ACKed data and drops the packet if the sequence number is incorrect.
- For each new session, FortiOS checks to determine if the TCP sequence number in a SYN packet has been calculated correctly and started from the correct value.
Reverse path forwarding
FortiOS implements a mechanism called Reverse Path Forwarding (RPF), or Anti Spoofing, to block an IP packet from being forwarded if its source IP does not:
- belong to a locally attached subnet (local interface), or
- be in the routing domain of the FortiGate from another source (static route, RIP, OSPF, BGP).
If those conditions are not met, FortiOS silently drops the packet.
FIPS and Common Criteria
FortiOS has received NDPP, EAL2+, and EAL4+ based FIPS and Common Criteria certifications. Common Criteria evaluations involve formal rigorous analysis and testing to examine security aspects of a product or system. Extensive testing activities involve a comprehensive and formally repeatable process, confirming that the security product functions as claimed by the manufacturer. Security weaknesses and potential vulnerabilities are specifically examined during an evaluation.
To see Fortinet's complete history of FIPS/CC certifications go to the following URL and add Fortinet to the Vendor field:
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search
PSIRT advisories
The FortiGuard Labs Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. Any such findings are fed back to Fortinet's development teams and serious issues are described along with protective solutions. The PSIRT regulatory releases PSIRT advisories when issues are found and corrected. Advisories are listed at https://www.fortiguard.com/psirt.