Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Best Practices

    Home FortiProxy 7.4.0 Best Practices
    7.4.0
    7.6.0
    7.4.0
    7.2.0

    Hardening

    Hardening

    System hardening reduces security risk by eliminating potential attack vectors and shrinking the system's attack surface. The best practices described previously in this document contribute to the hardening of the FortiProxy; this section covers some other actions that can be used.

    Physical security

    Install the FortiProxy in a physically secure location. Physical access to the FortiProxy can allow it to be bypassed, or other firmware could be loaded after a manual reboot.

    If the FortiProxy cannot be physical secured:

    • Disable USB firmware and configuration installation:

      config system auto-install
    set auto-install-config disable
    set auto-install-image disable
end

    • Enable port security (802.1x) to prevent unauthorized devices from forwarding traffic.

    • Optionally, disable the maintainer account. Note that doing this will make you unable to recover administrator access using a console connection is all of the administrator credentials are lost.

    Vulnerability - monitoring PSIRT

    Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. The findings are sent to the Fortinet development teams, and serious issues are described, along with protective solutions, in advisories listed at https://www.fortiguard.com/psirt.

    Firmware

    Keep the FortiProxy firmware up to date. The latest patch release has the most fixed bugs and vulnerabilities, and should be the most stable. Firmware is periodically updated to add new features and resolve important issues.

    • Read the release notes. The known issues may include issues that affect your business.

    • Do not use out of support firmware. Review the product lifecycle and plan to upgrade before the firmware expires.

    • Optionally, subscribe to the Fortinet firmware RSS feed: https://pub.kb.fortinet.com/rss/firmware.xml.

    Encrypted protocols

    Use encrypted protocols whenever possible, for example, SNMPv3 instead of SNMP, SSH instead of telnet, OSPF MD5 authentication, SCP instead of FTP or TFTP, NTP authentication, and encrypted logging instead of TCP.

    FortiGuard databases

    Ensure that FortiGuard databases, such as AS, IPS, and AV, are updated punctually. Optionally, send an alert if they are out of date.

    Penetration testing

    Test your FortiProxy to try to gain unauthorized access, or hire a penetration testing company to verify your work.

    Secure password storage

    The passwords and private keys used in certificates that are stored on the FortiProxy are encrypted using a predefined private key and encoded when displayed in the CLI and configuration file. System Admin passwords are hashed with SHA256 and encoded before being displayed.

    Passwords cannot be decrypted without the private key and are not shown anywhere in clear text. The private key is required on other FortiProxy units to restore the system from a configuration file. In an HA cluster, the same key should be used on all of the units.

    To enhance password security, specify a custom private key for the encryption process. This ensures that the key is only known by you.

    FortiProxy units with a Trusted Platform Module (TPM) can store the master encryption password, which is used to generate the master encryption key, on a Trusted Platform Module (TPM). For more information, see Trusted platform module support.

    To configure your own private encryption key:
    config system global
    set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
********************************
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
********************************
Your private data encryption key is accepted.
    Previous
    Next

    Hardening

    Hardening

    System hardening reduces security risk by eliminating potential attack vectors and shrinking the system's attack surface. The best practices described previously in this document contribute to the hardening of the FortiProxy; this section covers some other actions that can be used.

    Physical security

    Install the FortiProxy in a physically secure location. Physical access to the FortiProxy can allow it to be bypassed, or other firmware could be loaded after a manual reboot.

    If the FortiProxy cannot be physical secured:

    • Disable USB firmware and configuration installation:

      config system auto-install
    set auto-install-config disable
    set auto-install-image disable
end

    • Enable port security (802.1x) to prevent unauthorized devices from forwarding traffic.

    • Optionally, disable the maintainer account. Note that doing this will make you unable to recover administrator access using a console connection is all of the administrator credentials are lost.

    Vulnerability - monitoring PSIRT

    Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. The findings are sent to the Fortinet development teams, and serious issues are described, along with protective solutions, in advisories listed at https://www.fortiguard.com/psirt.

    Firmware

    Keep the FortiProxy firmware up to date. The latest patch release has the most fixed bugs and vulnerabilities, and should be the most stable. Firmware is periodically updated to add new features and resolve important issues.

    • Read the release notes. The known issues may include issues that affect your business.

    • Do not use out of support firmware. Review the product lifecycle and plan to upgrade before the firmware expires.

    • Optionally, subscribe to the Fortinet firmware RSS feed: https://pub.kb.fortinet.com/rss/firmware.xml.

    Encrypted protocols

    Use encrypted protocols whenever possible, for example, SNMPv3 instead of SNMP, SSH instead of telnet, OSPF MD5 authentication, SCP instead of FTP or TFTP, NTP authentication, and encrypted logging instead of TCP.

    FortiGuard databases

    Ensure that FortiGuard databases, such as AS, IPS, and AV, are updated punctually. Optionally, send an alert if they are out of date.

    Penetration testing

    Test your FortiProxy to try to gain unauthorized access, or hire a penetration testing company to verify your work.

    Secure password storage

    The passwords and private keys used in certificates that are stored on the FortiProxy are encrypted using a predefined private key and encoded when displayed in the CLI and configuration file. System Admin passwords are hashed with SHA256 and encoded before being displayed.

    Passwords cannot be decrypted without the private key and are not shown anywhere in clear text. The private key is required on other FortiProxy units to restore the system from a configuration file. In an HA cluster, the same key should be used on all of the units.

    To enhance password security, specify a custom private key for the encryption process. This ensures that the key is only known by you.

    FortiProxy units with a Trusted Platform Module (TPM) can store the master encryption password, which is used to generate the master encryption key, on a Trusted Platform Module (TPM). For more information, see Trusted platform module support.

    To configure your own private encryption key:
    config system global
    set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
********************************
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
********************************
Your private data encryption key is accepted.
    Previous
    Next