Friday, February 27, 2009

Securing Firewall Administrator Access to Fortigates

One feature which is often times overlooked is the ability to lock down the firewall interfaces from accepting any type of administrative traffic attempts. This is very useful for further enhancing the security of the firewall itself and making reconnaissance attempts that much more difficult.

By default you can connect to any firewall interface which has administrative traffic enabled, for example:
  • The firewall internal interface is configured for and to accept ping, https and ssh
  • The trusted hosts for your admin account are configured for and you only have one account configured
  • You are located on the network and can reach the firewall's internal interface via a router
  • You can ping the firewall and access the login screens for the web gui as well connect to port 22 to attempt to authenticate via SSH. If you provide the correct credentials for the admin user you will be granted access.
Now let's say you want the to lock down the firewall to a point where users outside the network cannot even ping the firewall or access the web gui. Proceed as follows:
  • Under System -> Admin edit the appropriate user
  • Set Trusted Host #1 to and ignore the other two
Now any user not on the network cannot ping, https or ssh to the firewall even though these services are enabled on the interface. You can also specify the trusted host to be a single IP address by using a /32. For example setting your trusted host to (or would only permit a single machine to connect to the firewall for administrative purposes. You can specify up to a total of three separate trusted hosts or networks.

Multiple Administrator Accounts

If you have multiple administrator accounts defined be aware that all of the trusted hosts for all accounts need to be configured exactly the same for this to work as shown in the next screenshot.

If any of the trusted hosts defined are different when compared between admin accounts the interfaces will be reachable again. However you will of course only be able to login if your IP address matches the trusted hosts defined in your admin account.

Also make sure you remember that your firewall interfaces are locked down so you don't start wondering why all of a sudden your firewall no longer responds to pings. (That has of course never happened to me ;)

Tuesday, February 24, 2009

FortiOS 4.0 Released

After a well deserved vacation I am back and posting and will be talking about the new version 4.0 of FortiOS. Now that it has been officially released I can comment on some of the great new features that I was testing in the Beta versions. Below is a summary of the enhancements and I will write more in-depth about some of the more important additions over the coming weeks.

In the meantime you can already review the updated user guide here.

FortiOS 4.0 New Features and Enhancements

· Redesigned web UI
· Supports Data Leak Prevention (DLP) Feature
· DHCP over IPSec Interface Support
· Supports Power Supply Monitoring
· WCCP v2 Support
· SNMPv3 Support
· Customized GUI Control
· Enhanced Load Balance Feature
· Supports WAN Optimization and Web Cache Feature
· Redesigned SSL-VPN Web Portal
· Supports HTTP POST Blocking
· Supports Rogue Access Point Detection Feature
· Supports Addition web UI Widgets
· Supports Identity Based Firewall Policies
· Supports Policy Based Traffic Shaping
· Support for IPv6 Intrusion Protection
· Supports "ANY" Interface for Firewall Policies.
· Supports Administration over Modem Interface
· Enhanced Central Management Communication Model
· Redesigned IPS Feature
· RADIUS Feature Enhancements
· Enhanced Application Control Feature
· Configurable VDOM Resource Limits
· Redesigned SNMP MIBS
· Logging Improvements
· Introduction of AntiSpam Engine
· Endpoint Control Feature
· SSL Content Scanning and Inspection
· Administration Over Modem
· Network Access Control (NAC) Quarantine