Security best practices
This chapter describes some techniques and best practices that you can use to improve FortiOS security.
Install the FortiGate unit in a physically secure location
A good place to start with is physical security. Install your FortiGate in a secure location, such as a locked room or one with restricted access. A restricted location prevents unauthorized users from getting physical access to the device.
If unauthorized users have physical access, they can disrupt your entire network by disconnecting your FortiGate (either by accident or on purpose). They could also connect a console cable and attempt to log into the CLI. Also, when a FortiGate unit reboots, a person with physical access can interrupt the boot process and install different firmware.
Register your product with Fortinet Support
You need to register your Fortinet product with Fortinet Support to receive customer services, such as firmware updates and customer support. You must also register your product for FortiGuard services, such as up-to-date antivirus and IPS signatures. To register your product the Fortinet Support website.
Keep your FortiOS firmware up to date
Always keep FortiOS up to date. The most recent version is the most stable and has the most bugs fixed and vulnerabilities removed. Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues.
After you register your FortiGate, you can receive notifications on FortiGate GUI about firmware updates. You can update the firmware directly from the GUI or by downloading firmware updates from the Fortinet Support website.
Before you install any new firmware, be sure to follow these steps:
- Review the release notes for the latest firmware release.
- Review the Supported Upgrade Paths guide to determine the best path to take from your current version of FortiOS to the latest version.
- Back up the current configuration.
Only FortiGate administrators who have read and write privileges can upgrade the FortiOS firmware.
System administrator best practices
This section describes a collection of changes you can implement to make administrative access to the GUI and CLI more secure.
Disable administrative access to the external (Internet-facing) interface
When possible, don’t allow administration access on the external (Internet-facing) interface.
To disable administrative access, go to Network > Interfaces, edit the external interface and disable HTTPS, PING, HTTP, SSH, and TELNET under Administrative Access.
From the CLI:
config system interface edit <external-interface-name> unset allowaccess
end
Allow only HTTPS access to the GUI and SSH access to the CLI
For greater security never allow HTTP or Telnet administrative access to a FortiGate interface, only allow HTTPS and SSH access. You can change these settings for individual interfaces by going to Network > Interfaces and adjusting the administrative access to each interface.
From the CLI:
config system interface edit <interface-name> set allowaccess https ssh
end
Require TLS 1.2 for HTTPS administrator access
Use the following command to require TLS 1.2 for HTTPS administrator access to the GUI:
config system global set admin-https-ssl-versions tlsv1-2
end
TLS 1.2 is currently the most secure SSL/TLS supported version for SSL-encrypted administrator access.
Re-direct HTTP GUI logins to HTTPS
Go to System > Settings > Administrator Settings and enable Redirect to HTTPS to make sure that all attempted HTTP login connections are redirected to HTTPS.
From the CLI:
config system global set admin-https-redirect enable end
Change the HTTPS and SSH admin access ports to non-standard ports
Go to System > Settings > Administrator Settings and change the HTTPS and SSH ports.
You can change the default port configurations for HTTPS and SSH administrative access for added security. To connect to a non-standard port, the new port number must be included in the collection request. For example:
l If you change the HTTPS port to 7734, you would browse to https://<ip-address>:7734. l If you change the SSH port to 2345, you would connect to ssh admin@<ip-address>:2345 To change the HTTPS and SSH login ports from the CLI:
config system global set admin-sport 7734 set admin-ssh-port 2345
end
If you change to the HTTPS or SSH port numbers, make sure your changes do not conflict with ports used for other services.
Maintain short login timeouts
Set the idle timeout to a short time to avoid the possibility of an administrator walking away from their management computer and leaving it exposed to unauthorized personnel.
To set the administrator idle timeout, go to System > Settings and enter the amount of time for the Idle timeout. A best practice is to keep the default time of 5 minutes.
To set the administrator idle timeout from the CLI:
config system global set admintimeout 5
end
You can use the following command to adjust the grace time permitted between making an SSH connection and authenticating. The range can be between 10 and 3600 seconds, the default is 120 seconds (minutes). By shortening this time, you can decrease the chances of someone attempting a brute force attack a from being successful. For example, you could set the time to 30 seconds.
config system global set admin-ssh-grace-time 30
end
Restrict logins from trusted hosts
Setting up trusted hosts for an administrator limits the addresses from where they can log into FortiOS. The trusted hosts configuration applies to most forms of administrative access including HTTPS, SSH, and SNMP. When you identify a trusted host for an administrator account, FortiOS accepts that administrator’s login only from one of the trusted hosts. A login, even with proper credentials, from a non-trusted host is dropped.
System administrator best practices
To identify trusted hosts, go to System > Administrators, edit the administrator account, enable Restrict login to trusted hosts, and add up to ten trusted host IP addresses.
To add two trusted hosts from the CLI:
config system admin edit <administrator-name> set trustedhost1 172.25.176.23 255.255.255.255 set trustedhost2 172.25.177.0 255.255.255.0
end
Trusted host IP addresses can identify individual hosts or subnets. Just like firewall policies, FortiOS searches through the list of trusted hosts in order and acts on the first match it finds. When you configure trusted hosts, start by adding specific addresses at the top of the list. Follow with more general IP addresses. You don’t have to add addresses to all of the trusted hosts as long as all specific addresses are above all of the 0.0.0.0 0.0.0.0 addresses.
Set up two-factor authentication for administrators
FortiOS supports FortiToken and FortiToken Mobile 2-factor authentication. FortiToken Mobile is available for iOS and Android devices from their respective application stores.
Every registered FortiGate unit includes two trial tokens for free. You can purchase additional tokens from your reseller or from Fortinet.
To assign a token to an administrator, go to System > Administrators and select Enable Two-factor Authentication for each administrator.
Create multiple administrator accounts
Rather than allowing all administrators to access ForiOS with the same administrator account, you can create accounts for each person or each role that requires administrative access. This configuration allows you to track the activities of each administrator or administrative role.
If you want administrators to have different functions you can add different administrator profiles. Go to System > Admin Profiles and select Create New.
Modify administrator account lockout duration and threshold values
By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three attempts to log into their account before locking the account for a set amount of time.
Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to enter a password again (admin-lockout-duration) can be configured within the CLI.
To configure the lockout options:
config system global set admin-lockout-threshold <failed_attempts> set admin-lockout-duration <seconds>
end
The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The admin-lockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.
Global commands for stronger and more secure encryption
Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the FortiGate.
Example:
To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five minute duration before the administrator can try to log in again, enter the commands:
config system global set admin-lockout-threshold 1 set admin-lockout-duration 300 end
If the time span between the first failed login attempt and the admin-lockoutthreshold failed login attempt is less than admin-lockout-duration, the lockout will be triggered.
Rename the admin administrator account
You can improve security by renaming the admin account. To do this, create a new administrator account with the super_admin admin profile and log in as that administrator. Then go to System > Administrators and edit the admin administrator and change the User Name. Renaming the admin account makes it more difficult for an attacker to log into FortiOS.
Add administrator disclaimers
FortiOS can display a disclaimer before or after logging into the GUI or CLI (or both). In either case the administrator must read and accept the disclaimer before they can proceed.
Use the following command to display a disclaimer before logging in:
config system global set pre-login-banner enable
end
Use the following command to display a disclaimer after logging in:
config system global set post-login-banner enable
end
You can customize the replacement messages for these disclaimers by going to System > Replacement Messages. Select Extended View to view and edit the Administrator replacement messages.
From the CLI:
config system replacemsg admin pre_admin-disclaimer-text config system replacemsg admin post_admin-disclaimer-text
Global commands for stronger and more secure encryption
This section describes some best practices for employing stronger and more secure encryption.
Disable sending malware statistics to FortiGuard
Turn on global strong encryption
Enter the following command to configure FortiOS to use only strong encryption and allow only strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS, SSH, TLS, and SSL functions.
config sys global set strong-crypto enable
end
Disable MD5 and CBC for SSH
In some cases, you may not be able to enable strong encryption. For example, your FortiGate may be communicating with a system that does not support strong encryption. With strong-crypto disabled you can use the following options to prevent SSH sessions with the FortiGate from using less secure MD5 and CBC algorithms:
config sys global set ssh-hmac-md5 disable set ssh-cbc-cipher disable
end
Disable static keys for TLS
You can use the following command to prevent TLS sessions from using static keys (AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256):
config sys global set ssl-static-key-ciphers disable
end
Require larger values for Diffie-Hellman exchanges
Larger Diffie-Hellman values result in stronger encryption. Use the following command to force Diffie-Hellman exchanges to use 8192 bit values (the highest configurable DH value).
config sys global set dh-params 8192
end
Disable sending malware statistics to FortiGuard
By default FortiOS periodically sends encrypted malware statistics to FortiGuard. The malware statistics record Antivirus, IPS, or Application Control events. This data is used to improved FortiGuard services. The malware statistics that FortiOS sends do not include any personal or sensitive customer data. The information is not shared with any external parties and is used in accordance with Fortinet’s Privacy Policy.
To disable sending malware statistics to FortiGuard, enter the following command: config system global set fds-statistics disable
end
Disable sending Security Rating statistics to FortiGuard
Security Rating is a Fortinet Security Fabric feature that allows customers to audit their Security Fabric and find and fix security problems. As part of the feature, FortiOS sends your security rating to FortiGuard every time a security rating test runs.
You can opt out of submitting Security Rating scores to FortiGuard. If you opt out you won’t be able to see how your organization’s scores compare with the scores of other organizations. Instead, an absolute score is shown. Use the following command to disable FortiGuard Security Rating result submission:
config system global set fortiguard-audit-result-submission disable
end
Disable auto USB installation
If USB installation is enabled, an attacker with physical access to a FortiGate could load a new configuration or firmware on the FortiGate using the USB port. You can disable USB installation by entering the following from the CLI:
config system auto-install set auto-install-config disable set auto-install-image disable
end
Set system time by synchronizing with an NTP server
For accurate time, use an NTP server to set system time. Synchronized time facilitates auditing and consistency between expiry dates used in expiration of certificates and security protocols.
From the GUI go to System > Settings > System Time and select Synchronize with NTP Server. By default, this causes FortiOS to synchronize with Fortinet’s FortiGuard secure NTP server.
From the CLI you can use one or more different NTP servers:
config system ntp set type custom set ntpsync enable config ntpserver edit 1 set server <ntp-server-ip>
next edit 2 set server <other-ntp-server-ip> end
Disable the maintainer admin account
Administrators with physical access to a FortiGate appliance can use a console cable and a special administrator account called maintainer to log into the CLI without a password. This feature allows you to log into a FortiGate if you have lost all administrator passwords. See Resetting a lost Admin password on the Fortinet Cookbook for details.
The maintainer account can be disabled using the following command:
config system global set admin-maintainer disable
end
Enable password policies
Go to System > Settings > Password Policy, to create a password policy that all administrators must follow. Using the available options you can define the required length of the password, what it must contain (numbers, upper and lower case, and so on) and an expiry time.
Use the password policy feature to make sure all administrators use secure passwords that meet your organization’s requirements.
Configure auditing and logging
For optimum security go to Log & Report > Log Settings enable Event Logging. For best results send log messages to FortiAnalyzer or FortiCloud.
From FortiAnalyzer or FortiCloud, you can view reports or system event log messages to look for system events that may indicate potential problems. You can also view system events by going to FortiView > System Events.
Establish an auditing schedule to routinely inspect logs for signs of intrusion and probing.
Encrypt logs sent to FortiAnalyzer/FortiManager
To keep information in log messages sent to FortiAnalyzer private, go to Log & Report > Log Settings and when you configure Remote Logging to FortiAnalyzer/FortiManager select Encrypt log transmission.
From the CLI.
config log {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting set enc-algorithm high end
Disable unused interfaces
To disable an interface from the GUI, go to Network > Interfaces. Edit the interface to be disabled and set Interface State to Disabled.
From the CLI, to disable the port21 interface:
config system interface edit port21 set status down
end
Disable unused protocols on interfaces
You can use the config system interface command to disable unused protocols that attackers may attempt to use to gather information about a FortiGate unit. Many of these protocols are disabled by default. Using the config system interface command you can see the current configuration of each of these options for the selected interface and then choose to disable them if required.
config system interface edit <interface-name> set dhcp-relay-service disable set pptp-client disable set arpforward disable set broadcast-forward disable set l2forward disable set icmp-redirect disable set vlanforward disable set stpforward disable set ident-accept disable set ipmac disable set netbios-forward disable set security-mode none set device-identification disable set lldp-transmission disable end
Option | Description |
dhcp-relay-service | Disable the DHCP relay service. |
pptp-client | Disable operating the interface as a PPTP client. |
arpforward | Disable ARP forwarding. |
broadcast-forward | Disable forwarding broadcast packets. |
l2forward | Disable layer 2 forwarding. |
icmp-redirect | Disable ICMP redirect. |
Option | Description |
vlanforward | Disable VLAN forwarding. |
stpforward | Disable STP forwarding. |
ident-accept | Disable authentication for this interface. The interface will not respond to a connection with an authentication prompt. |
ipmac | Disable IP/MAC binding. |
netbios-forward | Disable NETBIOS forwarding. |
security-mode | Set to none to disable captive portal authentication. The interface will not respond to a connection with a captive portal. |
device-identification | Disable device identification. |
lldp-transmission | Disable link layer discovery (LLDP). |
Use local-in policies to close open ports or restrict access
You can also use local-in policies to close open ports or otherwise restrict access to FortiOS.
Close ICMP ports
Use the following command to close all ICMP ports on the WAN1 interface. The following example blocks traffic that matches the ICMP_ANY firewall service.
config firewall local-in-policy edit 1 set intf wan1 set scraddr all set dstaddr all set action deny set service ICMP_ANY set schedule always
end
Close the BGP port
Use the following command to close the BGP port on the wan1 interface. The following example blocks traffic that matches the BGP firewall service.
config firewall local-in-policy edit 1 set intf wan1 set scraddr all set dstaddr all
Use local-in policies to close open ports or restrict access
set action deny set service BGP set schedule always end