Captive portals

Introduction to captive portals

You can authenticate your users on a web page that requests the user’s name and password. Until the user authenticates successfully, the authentication page is returned in response to any HTTP request. This is called a captive portal.

After successful authentication, the user accesses the requested URL and can access other web resources, as permitted by security policies. Optionally, the captive portal itself can allow web access to only the members of specified user group.

The captive portal can be hosted on the FortiGate unit or on an external authentication server. You can configure captive portal authentication on any network interface, including WiFi and VLAN interfaces.

When a captive portal is configured on a WiFi interface, the access point initially appears open. The wireless client can connect to the access point with no security credentials, but sees only the captive portal authentication page.

WiFi captive portal types:

• Authentication — until the user enters valid credentials, no communication beyond the AP is permitted.
• Disclaimer + Authentication — immediately after successful authentication, the portal presents the disclaimer page—an acceptable use policy or other legal statement—to which the user must agree before proceeding.
• Disclaimer Only — the portal presents the disclaimer page—an acceptable use policy or other legal statement— to which the user must agree before proceeding. The authentication page is not presented.
• Email Collection — the portal presents a page requesting the user’s email address, for the purpose of contacting the person in future. This is often used by businesses who provide free WiFi access to their customers. The authentication page is not presented.
• MAC Bypass — when clients are authenticated against their bridged SSID and their MAC addresses are known, they are redirected to the external captive portal.

Configuring a captive portal

Captive portals are configured on network interfaces. A WiFi interface does not exist until the WiFi SSID is created. You can configure a WiFi captive portal at the time that you create the SSID. Afterwards, the captive portal settings will also be available by editing the WiFi network interface in System > Network > Interfaces.

On a physical (wired) network interface, you edit the interface configuration in System > Network > Interfaces and set Security Mode to Captive Portal.

To configure a WiFi captive portal – web-based manager:

1. Go to WiFi & Switch Controller > SSID and create your SSID.

If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.

2. Under WiFi Settings, for Security Mode, select Captive Portal.
3. Enter the following:

4. Select OK.

To configure an SSID with external-web enabled – CLI:

config wireless-controller vap edit “web-ext” set vdom “root” set ssid “web-ext” set security captive-portal set selected-usergroups “qnap“

Configuring a

set security-exempt-list “wifi”

set security-redirect-url “ http://www.fortinet.com” set intra-vap-privacy enable set local-switching disable

set external-web “192.168.234.51/portal.php”

next

end

Note that the external-web entry is the URL of the external authentication web server. When this entry is not set, the FortiGate will use the local web server hosting the local login/splash page.

The external web URL is not explicitly set with HTTP/HTTPS – FortiGate uses the auth-secure-http entry under config user setting.

Exemption from the captive portal

A captive portal requires all users on the interface to authenticate. But some devices are not able to authenticate. You can create an exemption list of these devices. For example, a printer might need to access the Internet for firmware upgrades. Using the CLI, you can create an exemption list to exempt all printers from authentication.

config user security-exempt-list edit r_exempt config rule edit <id> set devices printer

end

end

Furthermore, a walled garden firewall policy can be created:

config firewall policy edit <id> set captive-portal-exempt enable …

next

end

MAC Bypass for captive portal

It is possible to provide a MAC address bypass for authenticated clients.When clients are authenticated with bridged SSID and their MAC addresses are known, they are redirected to the External Captive Portal.

A new portal type has been added, under config wireless-controller vap, to provide successful MAC authentication Captive Portal functionality.

Syntax

config wireless-controller vap edit {name} set portal-type {cmcc-macauth}

next

end

MAC-auth-bypass for the captive-portal SSID

Captive-portal SSID supports MAC-auth-bypass. If a client’s MAC can be authenticated from localuser or RADIUS, then the client can bypass firewall authentication directly.

config wireless-controller vap edit <name> set security captive-portal set MAC-auth-bypass {enable | disable}

next

end

Customizing captive portal pages

These pages are defined in replacement messages. Defaults are provided. In the web-based manager, you can modify the default messages in the SSID configuration by selecting Customize Portal Messages. Each SSID can have its own unique portal content.

The captive portal contains the following default web pages: l Login page—requests user credentials

Typical modifications for this page would be to change the logo and modify some of the text.

You can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters.

There is an exception to this rule. The line “Please enter your credentials to continue” is provided by the %%QUESTION%% tag. You can replace this tag with text of your choice. Except for this item, you should not remove any tags because they may carry information that the FortiGate unit needs.

• Login failed page—reports that the entered credentials were incorrect and enables the user to try again.

The Login failed page is similar to the Login page. It even contains the same login form. You can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters.

There is an exception to this rule. The line “Firewall authentication failed. Please try again.” is provided by the %%FAILED_MESSAGE%% tag. You can replace this tag with text of your choice. Except for this item, you should not remove any tags because they may carry information that the FortiGate unit needs.

• Disclaimer page—is a statement of the legal responsibilities of the user and the host organization to which the user must agree before proceeding.(WiFi or SSL VPN only)
• Declined disclaimer page—is displayed if the user does not agree to the statement on the Disclaimer page. Access is denied until the user agrees to the disclaimer.

Changing images in portal messages

You can replace the default Fortinet logo with your organization’s logo. First, import the logo file into the FortiGate unit and then modify the Login page code to reference your file.

To import a logo file:

1. Go to System > Replacement Messages and select Manage Images.
2. Select Create New.
3. Enter a Name for the logo and select the appropriate Content Type. The file must not exceed 24 Kilo bytes.
4. Select Browse, find your logo file and then select Open.
5. Select OK.

To specify the new logo in the replacement message:

1. Go to Network > Interfaces and edit the interface. The Security Mode must be Captive Portal.
2. Select the portal message to edit.
   • In SSL VPN or WiFi interfaces, in Customize Portal Messages click the link to the portal messages that you want to edit.
   • In other interfaces, make sure that Customize Portal Messages is selected, select the adjacent Edit icon, then select the message that you want to edit.
3. In the HTML message text, find the %%IMAGE tag.

By default it specifies the Fortinet logo: %%IMAGE:logo_fw_auth%%

4. Change the image name to the one you provided for your logo. The tag should now read, for example, %%IMAGE:mylogo%%
5. Select Save.
6. Select OK.

Modifying text in portal messages

Generally, you can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters. You should not remove any tags because they may carry information that the FortiGate unit needs. See the preceding section for any exceptions to this rule for particular pages.

To modify portal page text

1. Go to System > Network > Interfaces and edit the interface. The SSID Security Mode must be Captive Portal.
2. Select the portal message to edit.
   • In SSL VPN or WiFi interfaces, in Customize Portal Messages click the link to the portal messages that you want to edit.
   • In other interfaces, make sure that Customize Portal Messages is selected, select the adjacent Edit icon, then select the message that you want to edit.
3. Edit the HTML message text, then select Save.
4. Select OK.

Configuring disclaimer page for ethernet interface captive portals

While you can customize a disclaimer page for captive portals that connect via WiFi, the same can be done for wired connections. However, this can only be configured on the CLI Console, and only without configuring user groups.

When configuring a captive portal through the CLI, you may set security-groups to a specific user group. The result of this configuration will show an authentication form to users who wish to log in to the captive portal— not a disclaimer page. If you do not set any security-groups in your configuration, an “Allow all” status will be in effect, and the disclaimer page will be displayed for users.

The example CLI configuration below shows setting up a captive portal interface without setting security-groups, resulting in a disclaimer page for users:

config system interface edit “port1” set vdom “root” set ip 172.16.101.1 255.255.255.0 set allowaccess ping https ssh snmp http set type physical set explicit-web-proxy enable set alias “LAN”

set security-mode captive-portal

set snmp-index 1

next

end

Roaming support

Client devices can maintain captive portal authentication as they roam across different APs. By maintaining a consistent authentication, uninterrupted access to latency sensitive applications such as VoIP is ensured.

The Cloud will push a random per-AP Network encryption key to the AP. The key is 32 bytes in length, and is used in captive portal fast roaming. All APs of an AP Network will use the same encryption key. This key is randomly generated, and will be updated daily.

Session timeout interval for captive portal

The following syntax can be set to configure a session timeout interval in seconds for Captive Portal users. Set the range between 0 – 864000 (or no timeout to ten days). The default is set to 0.

Syntax

config wireless-controller vap edit <name> …

set captive-portal-session-timeout-interval <seconds>

next end

Configuration example – captive portal WiFi access control

In this scenario, you will configure the FortiGate for captive portal access so users can log on to your WiFi network.

You will create a user account (rgreen), add it to a user group (employees), create a captive portal SSID (example-staff), and configure a FortiAP unit. When the user attempts to browse the Internet, they will be redirected to the captive portal login page and asked to enter their username and password.

1. Enabling HTTPS authentication

Go to User & Device > Authentication Settings.

Under Protocol Support, enable Redirect HTTP Challenge to a Secure Channel (HTTPS). This will make sure that user credentials are communicated securely through the captive portal.

2. Creating the user

Go to User & Device > User Definition and create a Local user (rgreen).

Create additional users if needed, and assign any authentication methods.

3. Creating the user group

Go to User & Device > User Groups and create a user group (employees).

Add rgreen to the group.

4. Creating the SSID

Go to WiFi & Switch Controller > SSID and configure the wireless network.

Some FortiGate models may show the GUI path as WiFi & Switch Controller.

Enter an Interface Name (example-wifi) and IP/Network Mask.

An address range under DHCP Server will be automatically configured.

Under WiFi Settings, enter an SSID name (example-staff), set Security Mode to Captive Portal, and add the employees user group.

5. Creating the security policy

Go to Policy & Objects > Addresses and create a new address for the SSID (example-wifi-net).

Set Subnet/IP Range to the same range set on the DHCP server in the previous step.

Set Interface to the SSID interface.

Go to Policy & Objects > IPv4 Policy and create a new policy for WiFi users to connect to the Internet.

Add both the example-wifi-net address and employees user group to Source.

6. Connecting and authorizing the FortiAP

Go to Network > Interfaces and edit an available interface.

Under Address, set Addressing mode to Dedicated to Extension Device and assign it an IP address.

Connect the FortiAP unit to the configured interface, then go to WiFi & Switch Controller > Managed FortiAPs.

The FortiAP is listed, but its State shows a greyed-out question mark — this is because it is waiting for authorization.

Highlight the FortiAP and select Authorize.

The question mark is now replaced by a red down-arrow — this is because it is authorized, but still offline.

Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile.

For each radio, enable Radio Resource Provision and select your SSID.

Go back to WiFi & Switch Controller > Managed FortiAPs to verify that the FortiAP unit is online.

7. Results

When a user attempts to connect to the wireless network, they will be redirected to the captive portal login screen.

Members of the employees group must enter their Username and Password. The user will then be redirected to the URL originally requested.

On the FortiGate, go to Monitor > WiFi Client Monitor to verify that the user is authenticated.

Supported RFCs

FortiOS supports the following RFCs.

BGP

l RFC 4724: Graceful Restart Mechanism for BGP l RFC 4456: BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP) l RFC 4360: BGP Extended Communities Attribute l RFC 4271: A Border Gateway Protocol 4 (BGP-4) l RFC 2918: Route Refresh Capability for BGP-4 l RFC 2545: Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing l RFC 2439: BGP Route Flap Damping l RFC 1997: BGP Communities Attribute l RFC 1930: Guidelines for creation, selection, and registration of an Autonomous System (AS) l RFC 1772: Application of the Border Gateway Protocol in the Internet

Cryptography

• RFC 8031: Curve25519 and Curve448 for the Internet Key Exchange Protocol Version 2 (IKEv2) Key Agreement l RFC 7634: ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec l RFC 7627: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension l RFC 7539: ChaCha20 and Poly1305 for IETF Protocols l RFC 7427: Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) l RFC 7383: Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation l RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2) l RFC 7027: Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS) l RFC 6989: Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)
• RFC 6954: Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol

Version 2 (IKEv2) l RFC 6290: A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) l RFC 6023: A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA) l RFC 5723: Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption l RFC 5282: Using Authenticated Encryption Algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) Protocol

• RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile l RFC 4754: IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA) l RFC 4635: HMAC SHA TSIG Algorithm Identifiers l RFC 4492: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)

DHCP

• RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2) Protocol l RFC 4106: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) l RFC 3947: Negotiation of NAT-Traversal in the IKE l RFC 3602: The AES-CBC Cipher Algorithm and Its Use with IPsec l RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) l RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7 l RFC 2845: Secret Key Transaction Authentication for DNS (TSIG) l RFC 2631: Diffie-Hellman Key Agreement Method l RFC 2451: The ESP CBC-Mode Cipher Algorithms l RFC 2410: The NULL Encryption Algorithm and Its Use With IPsec l RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV l RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH l RFC 2403: The Use of HMAC-MD5-96 within ESP and AH l RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5 l RFC 2104: HMAC: Keyed-Hashing for Message Authentication l RFC 2085: HMAC-MD5 IP Authentication with Replay Prevention l RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management l RFC 1321: The MD5 Message-Digest Algorithm l PKCS #12: PKCS 12 v1: Personal Information Exchange Syntax

DHCP

l RFC 4361: Node-specific Client Identifiers for Dynamic Host Configuration Protocol Version Four (DHCPv4) l RFC 3736: Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6 l RFC 3633: IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6 l RFC 3456: Dynamic Host Configuration Protocol (DHCPv4) Configuration of IPsec Tunnel Mode l RFC 3315: Dynamic Host Configuration Protocol for IPv6 (DHCPv6) l RFC 2132: DHCP Options and BOOTP Vendor Extensions l RFC 2131: Dynamic Host Configuration Protocol

Diffserv

l RFC 3260: New Terminology and Clarifications for Diffserv l RFC 2597: Assured Forwarding PHB Group l RFC 2475: An Architecture for Differentiated Services l RFC 2474: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers 7

DNS

DNS

l RFC 6895: Domain Name System (DNS) IANA Considerations l RFC 6604: xNAME RCODE and Status Bits Clarification l RFC 6147: DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers l RFC 4592: The Role of Wildcards in the Domain Name System l RFC 4035: Protocol Modifications for the DNS Security Extensions l RFC 4034: Resource Records for the DNS Security Extensions l RFC 4033: DNS Security Introduction and Requirements l RFC 3597: Handling of Unknown DNS Resource Record (RR) Types l RFC 3226: DNSSEC and IPv6 A6 aware server/resolver message size requirements l RFC 3007: Secure Domain Name System (DNS) Dynamic Update l RFC 2308: Negative Caching of DNS Queries (DNS NCACHE) l RFC 2181: Clarifications to the DNS Specification l RFC 2136: Dynamic Updates in the Domain Name System (DNS UPDATE) l RFC 1996: A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) l RFC 1995: Incremental Zone Transfer in DNS l RFC 1982: Serial Number Arithmetic l RFC 1876: A Means for Expressing Location Information in the Domain Name System l RFC 1706: DNS NSAP Resource Records l RFC 1183: New DNS RR Definitions l RFC 1101: DNS Encoding of Network Names and Other Types l RFC 1035: Domain Names – Implementation and Specification l RFC 1034: Domain Names – Concepts and Facilities

ICMP

l RFC 6918: Formally Deprecating Some ICMPv4 Message Types l RFC 6633: Deprecation of ICMP Source Quench Messages l RFC 4884: Extended ICMP to Support Multi-Part Messages l RFC 4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification l RFC 1191: Path MTU Discovery l RFC 792: Internet Control Message Protocol

IP

• RFC 5798: Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6 l RFC 4301: Security Architecture for the Internet Protocol l RFC 3272: Overview and Principles of Internet Traffic Engineering

IP multicast

• RFC 3168: The Addition of Explicit Congestion Notification (ECN) to IP l RFC 2072: Router Renumbering Guide l RFC 2071: Network Renumbering Overview: Why would I want it and what is it anyway?
• RFC 1918: Address Allocation for Private Internets l RFC 1123: Requirements for Internet Hosts — Application and Support l RFC 1122: Requirements for Internet Hosts — Communication Layers l RFC 791: Internet Protocol

IP multicast

• RFC 5059: Bootstrap Router (BSR) Mechanism for Protocol Independent Multicast (PIM)
• RFC 4604: Using Internet Group Management Protocol Version 3 (IGMPv3) and Multicast Listener Discovery

Protocol Version 2 (MLDv2) for Source-Specific Multicast l RFC 3973: Protocol Independent Multicast – Dense Mode (PIM-DM): Protocol Specification (Revised) l RFC 3956: Embedding the Rendezvous Point (RP) Address in an IPv6 Multicast Address l RFC 3306: Unicast-Prefix-based IPv6 Multicast Addresses l RFC 2365: Administratively Scoped IP Multicast l RFC 1112: Host Extensions for IP Multicasting

IPsec

• RFC 4304: Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet

Security Association and Key Management Protocol (ISAKMP) l RFC 4303: IP Encapsulating Security Payload (ESP)

• RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers

IPv4

l RFC 6864: Updated Specification of the IPv4 ID Field l RFC 5177: Network Mobility (NEMO) Extensions for Mobile IPv4 l RFC 4632: Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan l RFC 3927: Dynamic Configuration of IPv4 Link-Local Addresses l RFC 3021: Using 31-Bit Prefixes on IPv4 Point-to-Point Links l RFC 1812: Requirements for IP Version 4 Routers

IPv6

l RFC 6343: Advisory Guidelines for 6to4 Deployment l RFC 5175: IPv6 Router Advertisement Flags Option

9

IS-IS

• RFC 5095: Deprecation of Type 0 Routing Headers in IPv6 l RFC 4941: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 l RFC 4862: IPv6 Stateless Address Autoconfiguration l RFC 4861: Neighbor Discovery for IP version 6 (IPv6) l RFC 4389: Neighbor Discovery Proxies (ND Proxy) l RFC 4213: Basic Transition Mechanisms for IPv6 Hosts and Routers l RFC 4193: Unique Local IPv6 Unicast Addresses l RFC 4007: IPv6 Scoped Address Architecture l RFC 3971: SEcure Neighbor Discovery (SEND) l RFC 3596: DNS Extensions to Support IP Version 6 l RFC 3587: IPv6 Global Unicast Address Format l RFC 3493: Basic Socket Interface Extensions for IPv6 l RFC 3056: Connection of IPv6 Domains via IPv4 Clouds l RFC 3053: IPv6 Tunnel Broker l RFC 2894: Router Renumbering for IPv6 l RFC 2675: IPv6 Jumbograms l RFC 2185: Routing Aspects Of IPv6 Transition
• RFC 1752: The Recommendation for the IP Next Generation Protocol

IS-IS

l RFC 5310: IS-IS Generic Cryptographic Authentication l RFC 5308: Routing IPv6 with IS-IS l RFC 3359: Reserved Type, Length and Value (TLV) Codepoints in Intermediate System to Intermediate System l RFC 1195: Use of OSI IS-IS for Routing in TCP/IP and Dual Environments

LDAP

• RFC 4513: Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms l RFC 4512: Lightweight Directory Access Protocol (LDAP): Directory Information Models l RFC 4511: Lightweight Directory Access Protocol (LDAP): The Protocol
• RFC 3494: Lightweight Directory Access Protocol version 2 (LDAPv2) to Historic Status

MPLS

• RFC 7026: Retiring TLVs from the Associated Channel Header of the MPLS Generic Associated Channel l RFC 6426: MPLS On-Demand Connectivity Verification and Route Tracing l RFC 6425: Detecting Data-Plane Failures in Point-to-Multipoint MPLS – Extensions to LSP Ping l RFC 6423: Using the Generic Associated Channel Label for Pseudowire in the MPLS Transport Profile (MPLS-TP) l RFC 5586: MPLS Generic Associated Channel

NAT

• RFC 5462: Multiprotocol Label Switching (MPLS) Label Stack Entry: “EXP” Field Renamed to “Traffic Class” Field l RFC 5332: MPLS Multicast Encapsulations l RFC 5129: Explicit Congestion Marking in MPLS l RFC 4448: Encapsulation Methods for Transport of Ethernet over MPLS Networks l RFC 4182: Removing a Restriction on the use of MPLS Explicit NULL l RFC 3564: Requirements for Support of Differentiated Services-aware MPLS Traffic Engineering l RFC 3469: Framework for Multi-Protocol Label Switching (MPLS)-based Recovery l RFC 3443: Time To Live (TTL) Processing in Multi-Protocol Label Switching (MPLS) Networks l RFC 3270: Multi-Protocol Label Switching (MPLS) Support of Differentiated Services l RFC 3032: MPLS Label Stack Encoding

NAT

• RFC 6888: Common Requirements for Carrier-Grade NATs (CGNs) l RFC 6146: Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers l RFC 4966: Reasons to Move the Network Address Translator – Protocol Translator (NAT-PT) to Historic Status l RFC 4787: Network Address Translation (NAT) Behavioral Requirements for Unicast UDP l RFC 4380: Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs) l RFC 3948: UDP Encapsulation of IPsec ESP Packets
• RFC 3022: Traditional IP Network Address Translator (Traditional NAT)

OSPF

l RFC 6860: Hiding Transit-Only Networks in OSPF l RFC 6845: OSPF Hybrid Broadcast and Point-to-Multipoint Interface Type l RFC 5340: OSPF for IPv6 l RFC 4812: OSPF Restart Signaling l RFC 4811: OSPF Out-of-Band Link State Database (LSDB) Resynchronization l RFC 4203: OSPF Extensions in Support of Generalized Multi-Protocol Label Switching (GMPLS) l RFC 3630: Traffic Engineering (TE) Extensions to OSPF Version 2 l RFC 3623: Graceful OSPF Restart l RFC 3509: Alternative Implementations of OSPF Area Border Routers l RFC 3101: The OSPF Not-So-Stubby Area (NSSA) Option l RFC 2328: OSPF Version 2 l RFC 1765: OSPF Database Overflow l RFC 1370: Applicability Statement for OSPF

PPP

PPP

• RFC 2516: A Method for Transmitting PPP Over Ethernet (PPPoE) l RFC 2364: PPP Over AAL5
• RFC 1661: The Point-to-Point Protocol (PPP)

RADIUS

• RFC 5176: Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) l RFC 2866: RADIUS Accounting
• RFC 2548: Microsoft Vendor-specific RADIUS Attributes

RIP

l RFC 4822: RIPv2 Cryptographic Authentication l RFC 2453: RIP Version 2 l RFC 2080: RIPng for IPv6 l RFC 1724: RIP Version 2 MIB Extension l RFC 1058: Routing Information Protocol

SIP

l RFC 3960: Early Media and Ringing Tone Generation in the Session Initiation Protocol (SIP) l RFC 3325: Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks l RFC 3262: Reliability of Provisional Responses in the Session Initiation Protocol (SIP) l RFC 3261: SIP: Session Initiation Protocol

SNMP

• RFC 4293: Management Information Base for the Internet Protocol (IP) l RFC 4273: Definitions of Managed Objects for BGP-4 l RFC 4113: Management Information Base for the User Datagram Protocol (UDP) l RFC 4022: Management Information Base for the Transmission Control Protocol (TCP) l RFC 3635: Definitions of Managed Objects for the Ethernet-like Interface Types l RFC 3417: Transport Mappings for the Simple Network Management Protocol (SNMP) l RFC 3416: Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) l RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) SSL
• RFC 3413: Simple Network Management Protocol (SNMP) Applications l RFC 3412: Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) l RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management

Frameworks l RFC 3410: Introduction and Applicability Statements for Internet Standard Management Framework l RFC 2863: The Interfaces Group MIB l RFC 2578: Structure of Management Information Version 2 (SMIv2)

• RFC 1238: CLNS MIB for use with Connectionless Network Protocol (ISO 8473) and End System to Intermediate

System (ISO 9542) l RFC 1215: A Convention for Defining Traps for use with the SNMP l RFC 1213: Management Information Base for Network Management of TCP/IP-based internets: MIB-II l RFC 1212: Concise MIB Definitions l RFC 1157: A Simple Network Management Protocol (SNMP) l RFC 1156: Management Information Base for Network Management of TCP/IP-based internets l RFC 1155: Structure and Identification of Management Information for TCP/IP-based Internets

SSL

l RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 l RFC 6101:The Secure Sockets Layer (SSL) Protocol Version 3.0

TCP

l RFC 6691: TCP Options and Maximum Segment Size (MSS) l RFC 6298: Computing TCP’s Retransmission Timer l RFC 6093: On the Implementation of the TCP Urgent Mechanism l RFC 793: Transmission Control Protocol

TLS

l RFC 6347: Datagram Transport Layer Security Version 1.2 l RFC 6066:Transport Layer Security (TLS) Extensions: Extension Definitions l RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension l RFC 5425: Transport Layer Security (TLS) Transport Mapping for Syslog l RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2 l RFC 4681: TLS User Mapping Extension l RFC 4680: TLS Handshake Message for Supplemental Data

VPN

VPN

• RFC 4761: Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling
• RFC 4684: Constrained Route Distribution for Border Gateway Protocol/MultiProtocol Label Switching (BGP/MPLS)

Internet Protocol (IP) Virtual Private Networks (VPNs) l RFC 4577: OSPF as the Provider/Customer Edge Protocol for BGP/MPLS IP Virtual Private Networks (VPNs) l RFC 4364: BGP/MPLS IP Virtual Private Networks (VPNs)

• RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements

Other protocols

l RFC 5357: A Two-Way Active Measurement Protocol (TWAMP) l RFC 5214: Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) l RFC 4960: Stream Control Transmission Protocol l RFC 4251: The Secure Shell (SSH) Protocol Architecture l RFC 3435: Media Gateway Control Protocol (MGCP) Version 1.0 l RFC 3376 : Internet Group Management Protocol, Version 3 l RFC 2890: Key and Sequence Number Extensions to GRE l RFC 2784: Generic Routing Encapsulation (GRE) l RFC 2661: Layer Two Tunneling Protocol “L2TP” l RFC 2637: Point-to-Point Tunneling Protocol (PPTP) l RFC 2412: The OAKLEY Key Determination Protocol l RFC 2225: Classical IP and ARP over ATM l RFC 2033: Local Mail Transfer Protocol l RFC 1413: Identification Protocol l RFC 1011: Official Internet Protocols l RFC 862: Echo Protocol l RFC 768: User Datagram Protocol l The TACACS+ Protocol

Miscellaneous

• RFC 7348: Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2

Networks over Layer 3 Networks l RFC 4784: Verizon Wireless Dynamic Mobile IP Key Update for cdma2000(R) Networks for cdma2000(R) Networks l RFC 4470: Minimally Covering NSEC Records and DNSSEC On-line Signing l RFC 3985: Pseudo Wire Emulation Edge-to-Edge (PWE3) Architecture l RFC 2979: Behavior of and Requirements for Internet Firewalls

Miscellaneous

• RFC 2827: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address

Spoofing l RFC 2780: IANA Allocation Guidelines For Values In the Internet Protocol and Related Headers l RFC 2647: Benchmarking Terminology for Firewall Performance l RFC 2644: Changing the Default for Directed Broadcasts in Routers l RFC 2231: MIME Parameter Value and Encoded Word Extensions: Character Sets, Languages, and Continuations l RFC 1945: Hypertext Transfer Protocol — HTTP/1.0 l RFC 950: Internet Standard Subnetting Procedure l RFC 894: A Standard for the Transmission of IP Datagrams over Ethernet Networks

Building security into FortiOS

The FortiOS operating system, FortiGate hardware devices, and FortiOS virtual machines (VMs) are built with security in mind, so many security features are built into the hardware and software. Fortinet maintains an ISO:9001 certified software and hardware development processes to ensure that FortiOS and FortiGate products are developed in a secure manner

Boot PROM and BIOS security

The boot PROM and BIOS in FortiGate hardware devices use Fortinet’s own FortiBootLoader that is designed and controlled by Fortinet. FortiBootLoader is a secure, proprietary BIOS for all FortiGate appliances. FortiGate physical devices always boot from FortiBootLoader.

FortiOS kernel and user processes

FortiOS is a multi-process operating system with kernel and user processes. The FortiOS kernel runs in a privileged hardware mode while higher-level applications run in user mode. FortiOS is a closed system that does not allow the loading or execution of third-party code in the FortiOS user space. All non-essential services, packages, and applications are removed.

FortiGate appliances with SD drives are encrypted to prevent unauthorized access to data.

Administration access security

Admin administrator account

All FortiGate firewalls ship with a default administrator account called admin. By default, this account does not have a password. FortiOS allows administrators to add a password for this account or to remove the account and create new custom super_admin administrator accounts.

Secure password storage

User and administrator passwords are stored securely on the system in an encrypted format. The encryption hash used for admin account passwords is SHA256/SHA1. The value that is seen in the configuration file is the Base64 encoded hash value. For example:

config system admin edit “admin” set accprofile “super_admin”

set vdom “root”

set password ENC SH2nlSm9QL9tapcHPXIqAXvX7vBJuuqu22hpa0JX0sBuKIo7z2g0Kz/+0KyH4E=

next end

Pre-shared keys in IPSec phase-1 configurations are stored in plain text. In the configuration file these pre-shared keys are encoded. The encoding consists of encrypting the password with a fixed key using DES (AES in FIPS mode) and then Base64 encoding the result.

Maintainer account

Administrators with physical access to a FortiGate appliance can use a console cable and a special administrator account called maintainer to log into the CLI. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password for the maintainer account is bcpb followed by the FortiGate serial number. An administrator has 60-seconds to complete this login. See Resetting a lost Admin password on the Fortinet Cookbook for details.

The only action the maintainer account has permissions to perform is to reset the passwords of super_admin accounts. Logging in with the maintainer account requires rebooting the FortiGate. FortiOS generates event log messages when you login with the maintainer account and for each password reset.

The maintainer account is enabled by default; however, there is an option to disable this feature. The maintainer account can be disabled using the following command:

config system global set admin-maintainer disable

end

Administrative access security

Secure administrative access features:

• SSH, Telnet, and SNMP are disabled by default. If required, these admin services must be explicitly enabled on each interface from the GUI or CLI.
• SSHv1 is disabled by default. SSHv2 is the default version.
• SSLv3 and TLS1.0 are disabled by default. TLSv1.1 and TLSv1.2 are the SSL versions enabled by default for HTTPS admin access.
• HTTP is disabled by default, except on dedicated MGMT, DMZ, and predefined LAN interfaces. HTTP redirect to HTTPS is enabled by default. l The strong-crypto global setting is enabled by default and configures FortiOS to use strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. l SCP is disabled by default. Enabling SCP allows downloading the configuration file from the FortiGate as an alternative method of backing up the configuration file. To enable SCP:

config system global set admin-scp enable

end

• DHCP is enabled by default on the dedicated MGMT interface and on the predefined LAN port (defined on some FortiGate models).
• The default management access configuration for FortiGate models with dedicated MGMT, DMZ, WAN, and LAN interfaces is shown below. Outside of the interfaces listed below, management access must be explicitly enabled on interfaces – management services are enabled on specific interfaces and not globally.
• Dedicated management interface l Ping l FMG-Access (fgfm) l CAPWAP l HTTPS l HTTP
• Dedicated WAN1/WAN2 interface l Ping l FMG-Access (fgfm)
• Dedicated DMZ interface l Ping l FMG-Access (fgfm) l CAPWAP l HTTPS l HTTP
• Dedicated LAN interface l Ping l FMG-Access (fgfm) l CAPWAP l HTTPS l HTTP

Network security

This section describes FortiOS and FortiGate network security features.

Network interfaces

The following are disabled by default on each FortiGate interface:

l Broadcast forwarding l STP forwarding l VLAN forwarding l L2 forwarding l Netbios forwarding l Ident accept

For more information, see Disable unused protocols on interfaces on page 20.

TCP sequence checking

FortiOS uses TCP sequence checking to ensure a packet is part of a TCP session. By default, anti-replay protection is strict, which means that if a packet is received with sequence numbers that fall out of the expected range, FortiOS drops the packet. Strict anti-replay checking performs packet sequence checking and ICMP antireplay checking with the following criteria:

• The SYN, FIN, and RST bit cannot appear in the same packet.
• FortiOS does not allow more than 1 ICMP error packet to go through before it receives a normal TCP or UDP packet.
• If FortiOS receives an RST packet, FortiOS checks to determine if its sequence number in the RST is within the unACKed data and drops the packet if the sequence number is incorrect. l For each new session, FortiOS checks to determine if the TCP sequence number in a SYN packet has been calculated correctly and started from the correct value.

Reverse path forwarding

FortiOS implements a mechanism called Reverse Path Forwarding (RPF), or Anti Spoofing, to block an IP packet from being forwarded if its source IP does not:

l belong to a locally attached subnet (local interface), or l be in the routing domain of the FortiGate from another source (static route, RIP, OSPF, BGP).

If those conditions are not met, FortiOS silently drops the packet.

FIPS and Common Criteria

FortiOS has received NDPP, EAL2+, and EAL4+ based FIPS and Common Criteria certifications. Common Criteria evaluations involve formal rigorous analysis and testing to examine security aspects of a product or system. Extensive testing activities involve a comprehensive and formally repeatable process, confirming that the security product functions as claimed by the manufacturer. Security weaknesses and potential vulnerabilities are specifically examined during an evaluation.

To see Fortinet’s complete history of FIPS/CC certifications go to the following URL and add Fortinet to the Vendor field:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search

PSIRT advisories

The FortiGuard Labs Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. Any such findings are fed back to Fortinet’s development teams and serious issues are described along with protective solutions. The PSIRT regulatory releases PSIRT advisories when issues are found and corrected. Advisories are listed at https://www.fortiguard.com/psirt.