Security Profiles (AV, Web Filtering etc.)

Policy configuration

Configuring the FortiGate unit with an ‘allow all’ traffic policy is very undesirable. While this does greatly simplify the configuration, it is less secure. As a security measure, it is best practice for the policy rulebase to ‘deny’ by default, and not the other way around.

 

Policy configuration changes

On a heavy-loaded system, plan configuration changes during low usage periods in order to minimize impact on CPU usage and established sessions. In this scenario, it is considered a best practice to de-accelerate the hardware-accelerated sessions.

You can configure de-accelerated behaviour on hardware-accelerated sessions using CLI commands to control how the processor manages policy configuration changes. The following CLI commands are to be used:

config system settings

set firewall-session-dirty { check-all | check-new | check-policy-option }

end

where you want the following to be true:

check-all              CPU flushes all current sessions and re-evaluates them. This is the default option.

check-new              CPU keeps existing sessions and applies policy changes to new sessions only. This reduces CPU load and the possibility of packet loss.

check-policy-option    Use the option selected in the firewall-session-dirty field of the firewall policy (check-all or check-new, as above, but per policy).

 

Policy whitelisting

  • Allow only the necessary inbound and outbound traffic.
  • If possible, limit traffic to specific addresses or subnets. This allows the FortiGate unit to drop traffic to and from unexpected addresses.

 

IPS and DoS policies

  • Because it is critical to guard against attacks on services that you make available to the public, configure IPS signatures to block matching signatures. For example, if you have a web server, configure the action of web server signatures to Block.
  • Your FortiGate unit includes IPS signatures written to protect specific software titles from DoS attacks. Enable the signatures for the software you have installed and set the signature action to Block.
  • DoS attacks are launched against vulnerabilities. Maintain a FortiGuard IPS subscription to ensure your FortiGate unit automatically receives new and updated IPS signatures as they are released.
  • Use and configure DoS policies to appropriate levels based on your network traffic and topology. This will help drop traffic if an abnormal amount is received. The key is to set a good threshold. The threshold defines the maximum number of sessions/packets per second of normal traffic. If the threshold is exceeded, the action is triggered. Threshold defaults are general recommendations, but your network may require very different values. One way to find the correct values for your environment is to set the action to Pass and enable logging. Observe the logs and adjust the threshold values until you can determine the value at which normal traffic begins to generate attack reports. Set the threshold above this value with the margin you want. Note that the smaller the margin, the more protected your system will be from DoS attacks, but your system will also be more likely to generate false alarms.

 

2 thoughts on “Security Profiles (AV, Web Filtering etc.)

  1. Momo

    Could you help me with the following?
    About the security profiles, if on a firewall policy one or all of the profiles are disabled, does this mean that the Fortigate will drop the packet?
    I know that whatever is not explicity allowed is automatically categorised as deny, but I wasn’t sure if this also meant the same for disabled security profiles.

    Reply
    1. Mike Post author

      You mean if you have security profiles created but not applied to a policy? If that is the case, as long as they aren’t applied to a policy the policy will operate in standard firewall format.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.