Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Hardening

System hardening reduces security risk by eliminating potential attack vectors and shrinking the system's attack surface. The best practices described previously in this document contribute to the hardening of the FortiGate; this section covers some other actions that can be used.

Physical security

Install the FortiGate in a physically secure location. Physical access to the FortiGate can allow it to be bypassed, or other firmware could be loaded after a manual reboot.

If the FortiGate cannot be physical secured:

  • Disable USB firmware and configuration installation:

    config system auto-install
        set auto-install-config disable
        set auto-install-image disable
    end
    
  • Enable port security (802.1x) to prevent unauthorized devices from forwarding traffic.

  • Optionally, disable the maintainer account. Note that doing this will make you unable to recover administrator access using a console connection is all of the administrator credentials are lost.

Vulnerability - monitoring PSIRT

Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. The findings are sent to the Fortinet development teams, and serious issues are described, along with protective solutions, in advisories listed at https://www.fortiguard.com/psirt.

Firmware

Keep the FortiOS firmware up to date. The latest patch release has the most fixed bugs and vulnerabilities, and should be the most stable. Firmware is periodically updated to add new features and resolve important issues.

  • Read the release notes. The known issues may include issues that affect your business.

  • Do not use out of support firmware. Review the product lifecycle and plan to upgrade before the firmware expires.

  • Optionally, subscribe to the Fortinet firmware RSS feed: https://pub.kb.fortinet.com/rss/firmware.xml.

Encrypted protocols

Use encrypted protocols whenever possible, for example, SNMPv3 instead of SNMP, SSH instead of telnet, OSPF MD5 authentication, SCP instead of FTP or TFTP, NTP authentication, and encrypted logging instead of TCP.

Strong ciphers

Force higher levels of encryption and strong ciphers:

config system global
    set strong-crypto enable
    set ssh-hmac-md5 disable
    set ssh-cbc-cipher disable
    set ssl-static-key-ciphers disable
    set dh-params 8192
end

See FortiGate encryption algorithm cipher suites for more information.

FortiGuard databases

Ensure that FortiGuard databases, such as AS, IPS, and AV, are updated punctually. Optionally, send an alert if they are out of date.

Penetration testing

Test your FortiGate to try to gain unauthorized access, or hire a penetration testing company to verify your work.

Denial of service

Denial of service (DoS) is a type of attack meant to disable a machine or network causing inaccessibility to the resource or users. Most often this is accomplished by overwhelming the target with more information than it can handle, resulting in a crash. DoS policies, which look for anomalous traffic patterns, are checked before the more resource intensive security policies to help prevent this.

The following guidelines can be used to get started with DoS policies. These policies can be applied to incoming traffic from your local network or internet, depending on your particular network.

  • Ensure the FortiGate is receiving regular IPS signature updates from the FortiGuard network through a valid subscription.
  • Enable anomaly logging and keep the action as monitor for some time. This is to observe and understand what expected traffic looks like so that you may tune thresholds to have small margins, and therefore more protection. Keep note of false alarms. If they are too frequent, you should adjust your policy accordingly.
  • Enable the following DoS policy anomalies to help prevent targeted attacks:
    • tcp_syn_flood
    • tcp_port_scan
    • tcp_src_session
    • tcp_dst_session
    • ip_src_session
    • ip_dst_session

    If you have an idea of your traffic rates for the preceding traffic patterns, you may adjust the threshold. Otherwise, begin with the default and adjust after a period of observing normal traffic. For more information, see DoS protection in the FortiOS Administration Guide.

  • Where possible, enable ASIC DoS for offloading using network processor ASICs. The FortiOS Hardware Acceleration Guide contains more information about DoS-related NP6 ASIC features, such as configuring NP6 anomaly protection and using the host protection engine (HPE) to protect the FortiGate from DoS attacks.

Secure password storage

The passwords, and private keys used in certificates, that are stored on the FortiGate are encrypted using a predefined private key, and encoded when displayed in the CLI and configuration file.

Passwords cannot be decrypted without the private key and are not shown anywhere in clear text. The private key is required on other FortiGates to restore the system from a configuration file. In an HA cluster, the same key should be used on all of the units.

To enhance password security, specify a custom private key for the encryption process. This ensures that the key is only known by you.

FortiGate models with a Trusted Platform Module (TPM) can store the master encryption password, which is used to generate the master encryption key, on the TPM. For more information, see Trusted platform module support.

To configure your own private encryption key:
config system global
    set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
********************************
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
********************************
Your private data encryption key is accepted.

Hardening

System hardening reduces security risk by eliminating potential attack vectors and shrinking the system's attack surface. The best practices described previously in this document contribute to the hardening of the FortiGate; this section covers some other actions that can be used.

Physical security

Install the FortiGate in a physically secure location. Physical access to the FortiGate can allow it to be bypassed, or other firmware could be loaded after a manual reboot.

If the FortiGate cannot be physical secured:

  • Disable USB firmware and configuration installation:

    config system auto-install
        set auto-install-config disable
        set auto-install-image disable
    end
    
  • Enable port security (802.1x) to prevent unauthorized devices from forwarding traffic.

  • Optionally, disable the maintainer account. Note that doing this will make you unable to recover administrator access using a console connection is all of the administrator credentials are lost.

Vulnerability - monitoring PSIRT

Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. The findings are sent to the Fortinet development teams, and serious issues are described, along with protective solutions, in advisories listed at https://www.fortiguard.com/psirt.

Firmware

Keep the FortiOS firmware up to date. The latest patch release has the most fixed bugs and vulnerabilities, and should be the most stable. Firmware is periodically updated to add new features and resolve important issues.

  • Read the release notes. The known issues may include issues that affect your business.

  • Do not use out of support firmware. Review the product lifecycle and plan to upgrade before the firmware expires.

  • Optionally, subscribe to the Fortinet firmware RSS feed: https://pub.kb.fortinet.com/rss/firmware.xml.

Encrypted protocols

Use encrypted protocols whenever possible, for example, SNMPv3 instead of SNMP, SSH instead of telnet, OSPF MD5 authentication, SCP instead of FTP or TFTP, NTP authentication, and encrypted logging instead of TCP.

Strong ciphers

Force higher levels of encryption and strong ciphers:

config system global
    set strong-crypto enable
    set ssh-hmac-md5 disable
    set ssh-cbc-cipher disable
    set ssl-static-key-ciphers disable
    set dh-params 8192
end

See FortiGate encryption algorithm cipher suites for more information.

FortiGuard databases

Ensure that FortiGuard databases, such as AS, IPS, and AV, are updated punctually. Optionally, send an alert if they are out of date.

Penetration testing

Test your FortiGate to try to gain unauthorized access, or hire a penetration testing company to verify your work.

Denial of service

Denial of service (DoS) is a type of attack meant to disable a machine or network causing inaccessibility to the resource or users. Most often this is accomplished by overwhelming the target with more information than it can handle, resulting in a crash. DoS policies, which look for anomalous traffic patterns, are checked before the more resource intensive security policies to help prevent this.

The following guidelines can be used to get started with DoS policies. These policies can be applied to incoming traffic from your local network or internet, depending on your particular network.

  • Ensure the FortiGate is receiving regular IPS signature updates from the FortiGuard network through a valid subscription.
  • Enable anomaly logging and keep the action as monitor for some time. This is to observe and understand what expected traffic looks like so that you may tune thresholds to have small margins, and therefore more protection. Keep note of false alarms. If they are too frequent, you should adjust your policy accordingly.
  • Enable the following DoS policy anomalies to help prevent targeted attacks:
    • tcp_syn_flood
    • tcp_port_scan
    • tcp_src_session
    • tcp_dst_session
    • ip_src_session
    • ip_dst_session

    If you have an idea of your traffic rates for the preceding traffic patterns, you may adjust the threshold. Otherwise, begin with the default and adjust after a period of observing normal traffic. For more information, see DoS protection in the FortiOS Administration Guide.

  • Where possible, enable ASIC DoS for offloading using network processor ASICs. The FortiOS Hardware Acceleration Guide contains more information about DoS-related NP6 ASIC features, such as configuring NP6 anomaly protection and using the host protection engine (HPE) to protect the FortiGate from DoS attacks.

Secure password storage

The passwords, and private keys used in certificates, that are stored on the FortiGate are encrypted using a predefined private key, and encoded when displayed in the CLI and configuration file.

Passwords cannot be decrypted without the private key and are not shown anywhere in clear text. The private key is required on other FortiGates to restore the system from a configuration file. In an HA cluster, the same key should be used on all of the units.

To enhance password security, specify a custom private key for the encryption process. This ensures that the key is only known by you.

FortiGate models with a Trusted Platform Module (TPM) can store the master encryption password, which is used to generate the master encryption key, on the TPM. For more information, see Trusted platform module support.

To configure your own private encryption key:
config system global
    set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
********************************
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
********************************
Your private data encryption key is accepted.