Fortinet white logo
Fortinet white logo
7.2.0

Hardening

Hardening

System hardening reduces security risk by eliminating potential attack vectors and shrinking the system's attack surface. The best practices described previously in this document contribute to the hardening of the FortiProxy; this section covers some other actions that can be used.

Physical security

Install the FortiProxy in a physically secure location. Physical access to the FortiProxy can allow it to be bypassed, or other firmware could be loaded after a manual reboot.

If the FortiProxy cannot be physical secured:

  • Disable USB firmware and configuration installation:

    config system auto-install
        set auto-install-config disable
        set auto-install-image disable
    end
    
  • Enable port security (802.1x) to prevent unauthorized devices from forwarding traffic.

  • Optionally, disable the maintainer account. Note that doing this will make you unable to recover administrator access using a console connection is all of the administrator credentials are lost.

Vulnerability - monitoring PSIRT

Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. The findings are sent to the Fortinet development teams, and serious issues are described, along with protective solutions, in advisories listed at https://www.fortiguard.com/psirt.

Firmware

Keep the FortiProxy firmware up to date. The latest patch release has the most fixed bugs and vulnerabilities, and should be the most stable. Firmware is periodically updated to add new features and resolve important issues.

  • Read the release notes. The known issues may include issues that affect your business.

  • Do not use out of support firmware. Review the product lifecycle and plan to upgrade before the firmware expires.

  • Optionally, subscribe to the Fortinet firmware RSS feed: https://pub.kb.fortinet.com/rss/firmware.xml.

Encrypted protocols

Use encrypted protocols whenever possible, for example, SNMPv3 instead of SNMP, SSH instead of telnet, OSPF MD5 authentication, SCP instead of FTP or TFTP, NTP authentication, and encrypted logging instead of TCP.

FortiGuard databases

Ensure that FortiGuard databases, such as AS, IPS, and AV, are updated punctually. Optionally, send an alert if they are out of date.

Penetration testing

Test your FortiProxy to try to gain unauthorized access, or hire a penetration testing company to verify your work.

Secure password storage

The passwords and private keys used in certificates that are stored on the FortiProxy are encrypted using a predefined private key and encoded when displayed in the CLI and configuration file. System Admin passwords are hashed with SHA256 and encoded before being displayed.

Passwords cannot be decrypted without the private key and are not shown anywhere in clear text. The private key is required on other FortiProxy units to restore the system from a configuration file. In an HA cluster, the same key should be used on all of the units.

To enhance password security, specify a custom private key for the encryption process. This ensures that the key is only known by you.

FortiProxy units with a Trusted Platform Module (TPM) can store the master encryption password, which is used to generate the master encryption key, on a Trusted Platform Module (TPM). For more information, see Trusted platform module support.

To configure your own private encryption key:
config system global
    set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
********************************
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
********************************
Your private data encryption key is accepted.

Hardening

Hardening

System hardening reduces security risk by eliminating potential attack vectors and shrinking the system's attack surface. The best practices described previously in this document contribute to the hardening of the FortiProxy; this section covers some other actions that can be used.

Physical security

Install the FortiProxy in a physically secure location. Physical access to the FortiProxy can allow it to be bypassed, or other firmware could be loaded after a manual reboot.

If the FortiProxy cannot be physical secured:

  • Disable USB firmware and configuration installation:

    config system auto-install
        set auto-install-config disable
        set auto-install-image disable
    end
    
  • Enable port security (802.1x) to prevent unauthorized devices from forwarding traffic.

  • Optionally, disable the maintainer account. Note that doing this will make you unable to recover administrator access using a console connection is all of the administrator credentials are lost.

Vulnerability - monitoring PSIRT

Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. The findings are sent to the Fortinet development teams, and serious issues are described, along with protective solutions, in advisories listed at https://www.fortiguard.com/psirt.

Firmware

Keep the FortiProxy firmware up to date. The latest patch release has the most fixed bugs and vulnerabilities, and should be the most stable. Firmware is periodically updated to add new features and resolve important issues.

  • Read the release notes. The known issues may include issues that affect your business.

  • Do not use out of support firmware. Review the product lifecycle and plan to upgrade before the firmware expires.

  • Optionally, subscribe to the Fortinet firmware RSS feed: https://pub.kb.fortinet.com/rss/firmware.xml.

Encrypted protocols

Use encrypted protocols whenever possible, for example, SNMPv3 instead of SNMP, SSH instead of telnet, OSPF MD5 authentication, SCP instead of FTP or TFTP, NTP authentication, and encrypted logging instead of TCP.

FortiGuard databases

Ensure that FortiGuard databases, such as AS, IPS, and AV, are updated punctually. Optionally, send an alert if they are out of date.

Penetration testing

Test your FortiProxy to try to gain unauthorized access, or hire a penetration testing company to verify your work.

Secure password storage

The passwords and private keys used in certificates that are stored on the FortiProxy are encrypted using a predefined private key and encoded when displayed in the CLI and configuration file. System Admin passwords are hashed with SHA256 and encoded before being displayed.

Passwords cannot be decrypted without the private key and are not shown anywhere in clear text. The private key is required on other FortiProxy units to restore the system from a configuration file. In an HA cluster, the same key should be used on all of the units.

To enhance password security, specify a custom private key for the encryption process. This ensures that the key is only known by you.

FortiProxy units with a Trusted Platform Module (TPM) can store the master encryption password, which is used to generate the master encryption key, on a Trusted Platform Module (TPM). For more information, see Trusted platform module support.

To configure your own private encryption key:
config system global
    set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
********************************
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
********************************
Your private data encryption key is accepted.