Best Practices – Security Profiles (AV, Web Filtering etc.)

Security Profiles (AV, Web Filtering etc.)

Infection can come from many sources and have many different effects. Because of this, there is no single means to effectively protect your network. Instead, you can best protect your network with the various UTM tools your FortiGate unit offers.

Firewall

  • Be careful when disabling or deleting firewall settings. Changes that you make to the firewall configuration using the GUI or CLI are saved and activated immediately.
  • Arrange firewall policies in the policy list from more specific to more general. The firewall searches for a matching policy starting from the top of the policy list and working down. For example, a very general policy matches all connection attempts. When you create exceptions to a general policy, you must add them to the policy list above the general policy.
  • Avoid using the All selection for the source and destination addresses. Use addresses or address groups. l If you remove all policies from the firewall, there are no policy matches and all connections are dropped. l If possible, avoid port ranges on services for security reasons.
  • The settings for a firewall policy should be as specific as possible. Do not use 0.0.0.0 as an address. Do not use Any as a service. Use subnets or specific IP addresses for source and destination addresses and use individual services or service groups.
  • Use a 32-bit subnet mask when creating a single host address (for example, 255.255.255.255).
  • Use logging on a policy only when necessary and be aware of the performance impact. For example, you may want to log all dropped connections but can choose to use this sparingly by sampling traffic data rather than have it continually storing log information you may not use.
  • It is possible to use security policies based on ‘any’ interface. However, for better granularity and stricter security, explicit interfaces are recommended.
  • Use the comment field to input management data, for example: who requested the rule, who authorized it, etc.
  • Avoid FQDN addresses if possible, unless they are internal. It can cause a performance impact on DNS queries and security impact from DNS spoofing. l For non vlan interfaces, use zones (even if you have only one single interface for members) to allow:
  • An explicit name of the interface to use in security policies (‘internal’ is more explicit than ‘port10’).
  • A split between the physical port and its function to allow port remapping (for instance moving from a 1G interface to a 10G interface) or to facilitate configuration translation, as performed during hardware upgrades.

Security

  • Use NTP to synchronize time on the FortiGate and the core network systems, such as email servers, web servers, and logging services.
  • Enable log rules to match corporate policy. For example, log administration authentication events and access to systems from untrusted interfaces.
  • Minimize adhoc changes to live systems, if possible, to minimize interruptions to the network. When not possible, create backup configurations and implement sound audit systems using FortiAnalyzer and FortiManager.
  • If you only need to allow access to a system on a specific port, limit the access by creating the strictest rule possible.

Authentication

  • You must add a valid user group to activate the Authentication check box on the firewall policy configuration page.
  • Users can authenticate with the firewall using HTTP or FTP. For users to be able to authenticate, you must add an HTTP or FTP policy that is configured for authentication.

Antivirus

  • Enable antivirus scanning at the network edge for all services. l Use FortiClient endpoint antivirus scanning for protection against threats that get into your network.
  • Subscribe to FortiGuard AntiVirus Updates and configure your FortiGate unit to receive push updates. This will ensure you receive antivirus signature updates as soon as they are available.
  • To ensure that all AV push updates occur, ensure you have an AV profile enabled in a security policy.
  • Enable only the protocols you need to scan. If you have antivirus scans occurring on the SMTP server, or use FortiMail, it is redundant to have scanning occur on the FortiGate unit as well.
  • Reduce the maximum file size to be scanned. Viruses usually travel in small files of around 1 to 2 megabytes.
  • Do not quarantine files unless you regularly monitor and review them. This is otherwise a waste of space and impacts performance.
  • Examine antivirus reports and log messages periodically. Take particular notice of repeated detections. For example, repeated virus detection in SMTP traffic could indicate a system on your network is infected and is attempting to contact other systems to spread the infection using a mass mailer.

Antispam

l If possible use, a FortiMail unit. The antispam engines are more robust. l Use fast DNS servers. l Use specific security profiles for the rule that will use antispam. l DNS checks may cause false positive with HELO DNS lookup. l Content analysis (banned words) may impose performance overhead.

Intrusion Prevention System (IPS)

Your FortiGate’s IPS system can detect traffic attempting to exploit this vulnerability. IPS may also detect when infected systems communicate with servers to receive instructions. Refer to the following list of best practices regarding IPS.

  • Enable IPS scanning at the network edge for all services. l Use FortiClient endpoint IPS scanning for protection against threats that get into your network.
  • Subscribe to FortiGuard IPS Updates and configure your FortiGate unit to receive push updates. This will ensure you receive IPS signature updates as soon as they are available.
  • Because it is critical to guard against attacks on services that you make available to the public, configure IPS signatures to block matching signatures. For example, if you have a web server, configure the action of web server signatures to Block.
  • Create and use security profiles with specific signatures and anomalies you need per-interface and per-rule.
  • Do not use predefined or generic profiles. While these profiles are convenient to supply immediate protection, you should create profiles to suit your network environment.
  • If you do use the default profiles, reduce the IPS signatures/anomalies enabled in the profile to conserve processing time and memory.
  • If you are going to enable anomalies, make sure you tune thresholds according to your environment.
  • If you need protection, but not audit information, disable the logging option. l Tune the IP-protocol parameter accordingly.

Blocking Skype using CLI options for improved detection

If you want to identify or block Skype sessions, use the following CLI command with your FortiGate’s public IP address to improve detection (FortiOS 4.3.12+ and 5.0.2+):

config ips global set skype-client-public-ipaddr 198.51.100.0,203.0.113.0

end

Note that the above syntax is configured using multiple public IP addresses, where a single public IP address may suffice depending on your network configuration.

Email filter

This entry was posted in Administration Guides, FortiGate, FortiOS, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.