Friday, February 27, 2009

Securing Firewall Administrator Access to Fortigates

One feature which is often times overlooked is the ability to lock down the firewall interfaces from accepting any type of administrative traffic attempts. This is very useful for further enhancing the security of the firewall itself and making reconnaissance attempts that much more difficult.

By default you can connect to any firewall interface which has administrative traffic enabled, for example:
  • The firewall internal interface is configured for 192.168.1.1/24 and to accept ping, https and ssh
  • The trusted hosts for your admin account are configured for 0.0.0.0/0 and you only have one account configured
  • You are located on the 192.168.44.0 network and can reach the firewall's internal interface via a router
  • You can ping the firewall and access the login screens for the web gui as well connect to port 22 to attempt to authenticate via SSH. If you provide the correct credentials for the admin user you will be granted access.
Now let's say you want the to lock down the firewall to a point where users outside the 192.168.1.0 network cannot even ping the firewall or access the web gui. Proceed as follows:
  • Under System -> Admin edit the appropriate user
  • Set Trusted Host #1 to 192.168.1.0/24 and ignore the other two
Now any user not on the 192.168.1.0/24 network cannot ping, https or ssh to the firewall even though these services are enabled on the interface. You can also specify the trusted host to be a single IP address by using a /32. For example setting your trusted host to 192.168.1.42/32 (or 192.168.1.42/255.255.255.255) would only permit a single machine to connect to the firewall for administrative purposes. You can specify up to a total of three separate trusted hosts or networks.

Multiple Administrator Accounts

If you have multiple administrator accounts defined be aware that all of the trusted hosts for all accounts need to be configured exactly the same for this to work as shown in the next screenshot.


If any of the trusted hosts defined are different when compared between admin accounts the interfaces will be reachable again. However you will of course only be able to login if your IP address matches the trusted hosts defined in your admin account.


Also make sure you remember that your firewall interfaces are locked down so you don't start wondering why all of a sudden your firewall no longer responds to pings. (That has of course never happened to me ;)

3 comments:

Anonymous said...

And other administrative functions, like SNMP, are also implicitly affected by the administrator trusted IP blocks as well.

If SNMP isn't working, make sure that the range of IPs you are querying from is also listed as being allowed to login for one of the admin accounts.

Matthew said...

Another idea complements of the FortiGate v4.0 CLI Reference page 370:

strong-crypto
{enable | disable}

Default Setting: disable

Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for
HTTPS/SSH admin access. When strong encryption is enabled, HTTPS is supported by the following web browsers: Netscape 7.2, Netscape 8.0, Firefox, and Microsoft Internet Explorer 7.0 (beta). Note that Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption.

Anonymous said...

thanks dear
it helped me to resolve the issue