Controlling the source and destination of traffic
The source and destination are the first parameters you specify in a security policy. (Go to Policy & Objects > IPv4 Policy and select Create New.)
The Interface settings depend on network topology. The Source and Destination Addresssettings define the IP addresses to which the policy applies. These should be as narrow as possible, so that only the appropriate hosts are included. For example, if the destination is a server with a single IP address, the named Destination Address should be defined as that single address, not the entire subnet on which the server resides.
Addresses are defined in Policy & Objects > Addresses. Some addresses will be used in several security policies, so it is best to plan ahead and define the addresses first.
Controlling the types of traffic in the CDE
The Policy & Objects > Service setting determines which types of traffic can pass based on protocol.
You can select a single protocol from the Service drop-down list. To add another protocol, select the green “+” button to access the Service drop-down list again. If several security policies will need the same list of services, consider creating a named service group. (Go to Firewall Objects > Service > Groups.) In the security policy, service groups are available at the bottom of the Service drop-down list.
The default deny policy
All traffic not specifically allowed by a security policy that you create is blocked by the Implicit policy listed at the bottom of the Policy & Objects > IPv4 Policy page.
You cannot delete this policy and you can edit the policy only to enable or disable logging of the traffic that it handles.
Wireless network security
Scanning for rogue access points is the minimum requirement for wireless security. Even if your organization does not use wireless networking, PCI DSS requires you to verify periodically that wireless networking has not been introduced into the CDE.
If you use wireless networking, the wireless network is only within the PCI DSS scope if it can connect to the CDE.
On–wire detection of rogue APs
FortiGate units include an “on-wire” detection technique that correlates the SSID MAC addresses of the unknown access points with MAC addresses detected on your wired networks. This helps to differentiate unrelated neighboring APs from security-compromising unauthorized APs connected to your network.
Setting up rogue access point scanning
A FortiGate unit with a connected FortiAP unit can perform wireless scanning. Each of the FortiAP radios can act as a dedicated monitor or can perform scanning in the background while acting as a wireless access point.
Radio 1 operates in the 2.4GHz band and Radio 2 operates in the 5GHz band. Both bands should be monitored. The FortiAP unit(s) used for scanning must be located within the coverage area that would result if an access point were added to the CDE.
To configure rogue AP scanning in a FortiAP profile
1. Go to WiFi & Switch Controller > WIDS Profiles.
On some models, the menu is WiFi & Switch Controller.
2. Select an existing WIDS profile and edit it, or select Create New.
3. Make sure that Enable Rogue AP Detection is selected.
4. Select Enable On-Wire Rogue AP Detection.
5. Optionally, enable Auto Suppress Rogue APs in Foreground Scan.
6. Select OK.