Networking

When configuring your network, ensure that there is no ‘back door’ access to the protected network. For example, if there is a wireless access point, it must be appropriately protected with password and encryption.

Be sure to also maintain an up-to-date network diagram which includes IP addressing, cabling, and network elements.

 

Routing configuration

• Always configure a default route.
• Add blackhole routes for subnets reachable using VPN tunnels. This ensures that if a VPN tunnel goes down, traffic is not mistakingly routed to the Internet unencrypted.

 

Policy routing

Keep the number of policy routes to a minimum to optimize performance in route lookup and to simplify troubleshooting.

 

Dynamic routing

• Select a Router ID that matches an IP assigned to an interface. This avoids the likelihood of having two devices with the same router ID.
• For routing over an IPsec tunnel, assign IP addresses to both ends of the tunnel.

 

Advanced routing

Use the following best practices for advanced routing when dealing with Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF).

 

Border Gateway Protocol (BGP)

If you are using BGP, it is recommended that you enable soft-reconfiguration. This has two benefits:

• It allows you to perform ‘soft clear’ of peers after a change is made to a BGP policy.
• It provides greater visibility into the specific prefixes learned from each neighbor.

Leave soft-reconfiguration disabled if your FortiGate does not have much unused memory. Soft-reconfiguration requires keeping separate copies of prefixes received and advertised, in addition to the local BGP database.

 

Open Shortest Path First (OSPF)

• Avoid use of passive interfaces wherever possible.
• Avoid use of virtual links to connect areas. All areas should be designed to connect directly to the backbone area.
• Ensure that all backbone routers have a minimum of two peering connections to other backbone neighbors.
• An entire OSPF domain should be under common administration.

 

Network Address Translation (NAT)

• Beware of misconfiguring the IP Pool range. Double-check the start and end IPs of each IP pool. The IP pool should not overlap with addresses assigned to FortiGate interfaces or to any hosts on directly connected networks.
• If you have internal and external users accessing the same servers, use split DNS to offer an internal IP to internal users so that they don’t have to use the external-facing VIP.

 

Configuring NAT

Do not enable NAT for inbound traffic unless it is required by an application. If, for example, NAT is enabled for inbound SMTP traffic, the SMTP server might act as an open relay.

 

Transparent Mode

• Do not connect two ports to the same VLAN on a switch or to the same hub. Some Layer 2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN.
• If you operate multiple VLANs on your FortiGate unit, assign each VLAN id to its own forwarding domain to ensure that the scope of the broadcast does not extend beyond the VLAN it originated in.

 

To protect against Layer 2 loops:

• Enable stpforward on all interfaces.
• Use separate VDOMs for production traffic (TP mode VDOM) and management traffic (NAT/Route mode VDOM).
• Only place those interfaces used for production in the TP mode VDOM. Place all other interfaces in the NAT/Route mode VDOM. This protects against potential Layer 2 loops.

Using Virtual IPs (VIPs)

• Use the external IP of 0.0.0.0 when creating a VIP for a FortiGate unit where the external interface IP address is dynamically assigned.
• Be sure to select the correct external interface when creating a new virtual IP (VIP). The external interface should be set to the interface at which the FortiGate unit receives connection requests from external networks.

 

Configuring FSSO Advanced Settings

Depending on your network topologies and requirement, you may need to configure advanced settings in the FSSO Colloctor agent.To do so, from the Start menu, select Programs > Fortinet > Fortinet Single Sign-On Agent > Configure Fortinet Single Sign-On Agent, then from the Common Tasks section, select Advanced Settings.

 

This section include :

• General Settings
• Citrix/Terminal Server
• Exchange Server
• RADIUS Accounting

 

General Settings

In the General tab, enter the following information and select OK.

Worker thread count             Number of threads started in the CA process. Default is128 on CA version 5.0.0241.

Maximum FortiGate con- nections

Number of FortiGates can be connected to the CA. Default is 64.

Group look-up interval         The interval in seconds to lookup users/groups. If an AD group membership of cur- rently logged on user, CA can detect this and update information on the FortiGate. Enter 0 for no checking.

Windows security Event logs

Choose the event logs to poll.

Event IDs to poll                    0:Default set, it includes Kerberos authentication event logs : 672 for Windows server 2003, 4768 for Windows server 2008 and 2012 and NTLM authentication event logs : 680 for Windows server 2003, 4776 for Windows server 2008 and 2012. 1: Extended set, it includes Kerberos service ticket event logs : 673 for Windows server 2003, 4769 for Windows server 2008 and 2012. Service tickets are obtained whenever a user or computer accesses a server on the network.

List the event ids separated by “;”.

Workstation Check                Optianally enable Use WMI to check user logoff for the collector agent to query whether users is still logged on.

Workstation Name Res- olution Advance Options

Alternative DNS server

(s)

Collector Agent uses the DNS server configured on the machine it is running on by default. If CA should use another DNS server then one or more alternative DNS server can be configured here.

Alternative work- station suffix(es)

If only host name is available CA uses the default domain suffix to build a FQDN for

DNS queries. In case CA should use a different suffix, it can be configured as well.

Configuring FSSO with Novell networks

You need to configure the eDirectory agent for it to communicate with eDirectory servers. You may have provided some of this information during installation.

This section includes:

• Configuring the eDirectory agent
• Adding an eDirectory server
• Configuring a group filter

 

Configuring the eDirectory agent

You need to configure the eDirectory agent for it to communicate with eDirectory servers.

 

To configure the eDirectory agent:

1. From the Start menu select Programs > Fortinet > eDirectory Agent > eDirectory Config Utility.

2. The eDirectory Agent Configuration Utility dialog opens. Enter the following information and select OK.

 

 

 

 

eDirectory Authentication

Username                                   Enter a username that has access to the eDirectory, using LDAP format.

Password                                   Enter the password.

Listening port                           Enter the TCP port on which Fortinet Single Sign On Agent listens for con- nections from FortiGate units. The default is 8000. You can change the port if necessary.

Refresh interval                         Enter the interval in seconds between polls of the eDirectory server to check for new logons. The default is 30 seconds.

 

FortiGate Connection Authentication

Require authenticated con-     Select to require the FortiGate unit to authenticate before connecting to nection from FortiGate             the eDirectory Agent.

Password                                   Enter the password that FortiGate units must use to authenticate. The max- imum password length is 16 characters. The default password is “Fortin- etCanada”.

User logon Info Search            Select how the eDirectory agent accesses user logon information: LDAP or Method                                       Native (Novell API). LDAP is the default.   If you select Native, you must also have the Novell Client installed on the PC.

 

Logging

Log file size limit (MB)             Enter the maximum size for the log file in MB.

View Log                                    View the current log file.

Dump Session                           List the currently logged-on users in the log file. This can be useful for troubleshooting.

Log level                                    Select Debug, Info, Warning or Error as the minimum severity level of message to log or select None to disable logging.

 

eDirectory Server List

Add                                             Add an eDirectory server. See Adding an eDirectory server on page 581.

Delete                                         Delete the selected eDirectory server.

Edit                                             Modify the settings for the selected server.

Set Group Filters…                   Select the user groups whose user logons will be reported to the FortiGate unit. This is used only if user groups are not selected on the FortiGate unit.

 

 

 

 

Adding an eDirectory server

 

Once the eDirectory agent is configured, you add one or more eDirectory servers.

 

 

To add an eDirectory server:

 

1. 1. In the eDirectory Agent Configuration Utility dialog box (see the preceding procedure, Configuring the eDirectory agent), select Add.
2. 2. The eDirectory Setup dialog box opens. Enter the following information and select OK:

 

eDirectory Server Address           Enter the IP address of the eDirectory server.

 

Port                                                  If the eDirectory server does not use the default port 389, clear the

Default check box and enter the port number.

 

Use default credential                   Select to use the credentials specified in the eDirectory Configuration Utility. See Configuring the eDirectory agent on page 579. Otherwise, leave the check box clear and enter a username and Password below.

 

User name                         Enter a username that has access to the eDirectory, using LDAP format.

 

User password                 Enter the password.

 

Use secure connection (SSL)      Select to connect to the eDirectory server using SSL security.

 

Search Base DN                             Enter the base Distinguished Name for the user search.

 

 

Configuring a group filter

 

The eDirectory agent sends user logon information to the FortiGate unit for all user groups unless you either configure an LDAP server entry for the eDirectory on the FortiGate unit and select the groups that you want to monitor or configure the group filter on the eDirectory agent.

 

If both the FortiGate LDAP configuration and the eDirectory agent group filter are present, the FortiGate user group selections are used.

 

To configure the group filter:

 

1. 1. From the Start menu select Programs > Fortinet > eDirectory Agent > eDirectory Config Utility.
2. 2. Select Set Group Filters.
3. 3. Do one of the following:

l  Enter group names, then select Add.

l  Select Advanced, select groups, and then select Add.

 

4. 4. Select OK.

Configuring the FSSO TS agent for Citrix

 

The FSSO TS agent works with the same FSSO Collector agent that is used for integration with Windows Active Directory. Install the Collector agent first. Follow the Collector agent installation procedure in Collector agent installation on page 562.

 

Configuration steps include:

• Install the Fortinet Citrix FSSO agent on the Citrix server.
• Install the Fortinet FSSO collector on a server on the network.
• Add the Citrix FSSO agent to the FortiGate Single-sign-On configuration.
• Add Citrix FSSO groups and users to an FSSO user group.
• Add an FSSO identity-based security policy that includes the Citrix FSSO user groups.

To change the TS agent configuration, select from the Start menu Programs > Fortinet > Fortinet Single Sign-On Agent > TSAgent Config. In addition to the host and Collector agent IP addresses that you set during installation, you can adjust port allocations for Citrix users. When a Citrix user logs on, the TS agent assigns that user a range of ports. By default each user has a range of 200 ports.

 

Fortinet SSO Collector Agent IP and Port needs to point to the current configured listening port on the collector which is port 8002 by default. Though it may be con- figured to a custom port.

Configuring the TS agent

Security Profiles (AV, Web Filtering etc.)

Infection can come from many sources and have many different effects. Because of this, there is no single means to effectively protect your network. Instead, you can best protect your network with the various UTM tools your FortiGate unit offers.

 

Firewall

• Be careful when disabling or deleting firewall settings. Changes that you make to the firewall configuration using the GUI or CLI are saved and activated immediately.
• Arrange firewall policies in the policy list from more specific to more general. The firewall searches for a matching policy starting from the top of the policy list and working down. For example, a very general policy matches all connection attempts. When you create exceptions to a general policy, you must add them to the policy list above the general policy.
• Avoid using the All selection for the source and destination addresses. Use addresses or address groups.
• If you remove all policies from the firewall, there are no policy matches and all connections are dropped.
• If possible, avoid port ranges on services for security reasons.
• The settings for a firewall policy should be as specific as possible. Do not use 0.0.0.0 as an address. Do not use Any as a service. Use subnets or specific IP addresses for source and destination addresses and use individual services or service groups.
• Use a 32-bit subnet mask when creating a single host address (for example, 255.255.255.255).
• Use logging on a policy only when necessary and be aware of the performance impact. For example, you may want to log all dropped connections but can choose to use this sparingly by sampling traffic data rather than have it continually storing log information you may not use.
• It is possible to use security policies based on ‘any’ interface. However, for better granularity and stricter security, explicit interfaces are recommended.
• Use the comment field to input management data, for example: who requested the rule, who authorized it, etc.
• Avoid FQDN addresses if possible, unless they are internal. It can cause a performance impact on DNS queries and security impact from DNS spoofing.
• For non vlan interfaces, use zones (even if you have only one single interface for members) to allow:
• An explicit name of the interface to use in security policies (‘internal’ is more explicit than ‘port10’).
• A split between the physical port and its function to allow port remapping (for instance moving from a 1G interface to a 10G interface) or to facilitate configuration translation, as performed during hardware upgrades.

 

Security

• Use NTP to synchronize time on the FortiGate and the core network systems, such as email servers, web servers, and logging services.
• Enable log rules to match corporate policy. For example, log administration authentication events and access to systems from untrusted interfaces.
• Minimize adhoc changes to live systems, if possible, to minimize interruptions to the network. When not possible, create backup configurations and implement sound audit systems using FortiAnalyzer and FortiManager.
• If you only need to allow access to a system on a specific port, limit the access by creating the strictest rule possible.

Chapter 5 – Best Practices

Overview

This FortiGate Best Practices document is a collection of guidelines to ensure the most secure and reliable operation of FortiGate units in a customer environment. It is updated periodically as new issues are identified.

 

General Considerations

1. For security purposes, NAT mode is preferred because all of the internal or DMZ networks can have secure private addresses. NAT mode policies use network address translation to hide the addresses in a more secure zone from users in a less secure zone.

2. Use virtual domains (VDOMs) to group related interfaces or VLAN subinterfaces. Using VDOMs will partition networks and create added security by limiting the scope of threats.

3. Use Transparent mode when a network is complex and does not allow for changes in the IP addressing scheme.

 

Customer service and technical support

For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet Technical Support web site at http://support.fortinet.com.

You can also register Fortinet products and service contracts from http://support.fortinet.com and change your registration information at any time.

For information about our priority support hotline (live support), see http://support.fortinet.com. When requesting technical support, please provide the following information:

• Your name, and your company’s name and location
• Your email address and/or telephone number
• Your support contract number (if applicable)
• The product name and model number
• The product serial number (if applicable)
• The software or firmware version number
• A detailed description of the problem

 

Fortinet Knowledge Base

The most recent Fortinet technical documentation is available from the Fortinet Knowledge Base. The knowledge base contains short how-to articles, FAQs, technical notes, product and feature guides, and much more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.

 

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.

 

System and performance

By implementing the following best practices for system and performance, you will ensure maximum efficiency of your FortiGate device. Be sure to read everything carefully, particularly the section that concerns shutting down the FortiGate system, in order to avoid potential hardware issues.

 

Performance

• Disable any management features you do not need. If you don’t need SSH or SNMP, disable them. SSH also provides another possibility for would-be hackers to infiltrate your FortiGate unit.
• Put the most used firewall rules to the top of the interface list.
• Log only necessary traffic. The writing of logs, especially if to an internal hard disk, slows down performance.
• Enable only the required application inspections.
• Keep alert systems to a minimum. If you send logs to a syslog server, you may not need SNMP or email alerts, making for redundant processing.
• Establish scheduled FortiGuard updates at a reasonable rate. Daily updates occurring every 4-5 hours are sufficient for most situations. In more heavy-traffic situations, schedule updates for the evening when more bandwidth can be available.
• Keep security profiles to a minimum. If you do not need a profile on a firewall rule, do not include it.
• Keep VDOMs to a minimum. On low-end FortiGate units, avoid using them if possible.
• Avoid traffic shaping if you need maximum performance. Traffic shaping, by definition, slows down traffic.

RADIUS SSO example

A common RADIUS SSO topology involves a medium sized company network of users connecting to the Internet through the FortiGate unit, and authenticating with a RADIUS server. RADIUS SSO authentication was selected because it is fast and relatively easy to configure.

This section includes:

• Assumptions
• Topology
• Configuring RADIUS
• Configuring FortiGate regular and RADIUS SSO security policies
• Testing

 

Assumptions

• VDOMs are not enabled
• The admin super_admin administrator account will be used for all FortiGate unit configuration.
• Any other devices on the network do not affect the topology of this example, and therefore are not included.
• Anywhere settings are not described, they are assumed to be default values.
• A RADIUS server is installed on a server or FortiAuthenticator unit and uses default attributes.
• BGP is used for any dynamic routing.
• Authentication event logging under Log&Report has been configured.

Examples and Troubleshooting

This chapter provides an example of a FortiGate unit providing authenticated access to the Internet for both Windows network users and local users.

The following topics are included in this section:

• Firewall authentication example
• LDAP Dial-in using member-attribute example
• RADIUS SSO example
• Troubleshooting

Firewall authentication example

Example configuration

Overview

In this example, there is a Windows network connected to Port 2 on the FortiGate unit and another LAN, Network_1, connected to Port 3.

All Windows network users authenticate when they logon to their network. Members of the Engineering and Sales groups can access the Internet without entering their authentication credentials again. The example assumes that the Fortinet Single Sign On (FSSO) has already been installed and configured on the domain controller.

LAN users who belong to the Internet_users group can access the Internet after entering their username and password to authenticate. This example shows only two users, User1 is authenticated by a password stored on the FortiGate unit, User2 is authenticated on an external authentication server. Both of these users are referred to as local users because the user account is created on the FortiGate unit.