Enhancing the security TO the Fortigate, not just THROUGH it.

By Manny Fernandez

January 21, 2019

Enhancing the security TO the Fortigate, not just THROUGH it.

The IPS policies on the Fortigate are defined and assigned to policies. This means that the packets match the packets flowing THROUGH the firewall. In some cases, you may want to block traffic TO the firewall. Fortinet Fortigates do a good job via the Trusted Hosts whereby the Administrative Access is ONLY allowed from these hosts.

Trusted Hosts

This is defined on each Interface of the Fortigate (Physical, VLAN, Loopback, etc)

NOTE: If you have a user like the one above “admin” that has ‘Trusted Hosts’ configured on it and NO OTHER admin accounts, you will not be able to connect to the Firewall on ANY interface for management via HTTP, HTTPS, and even PING unless it is coming from that ‘Trusted Host’. HOWEVER, if you have this admin and any other administrative account WITHOUT the ‘Trusted Hosts’ configured, the HTTPS, HTTP, Ping etc will be accessible from ANY IP address. In other words, make sure you lock down ALL the administrative accounts with Trusted Hosts.

Local-In Policies

In the case where you need to have NO ‘trusted hosts’ configured but still want to limit certain access to the firewall itself, here is the next option for you.

The local-in policies define traffic TO the Fortigate. There is no GUI configuration for these policies save a snap-in on the GUI that shows you the default ‘Local-In’ policies. To manually configure these policies, you will need to go to the “Ugly Black Screen” as I like to call it, although I love, love, love, the CLI.

The following is an example I have configured in my lab

config firewall local-in-policy
   edit 1
     set intf "port1"
     set srcaddr "all"
     set dstaddr "300E-Public"
     set service "SIP"
     set schedule "always"
     set comments "Block SIP to Fortigate 300E"
   next

   edit 2
     set intf "port1"
     set srcaddr "Blocked-Countries"
     set dstaddr "300E-Public"
     set service "ALL"
     set schedule "always"
     set comments "Block Bad Countries"
   next
end

On policy 1, we can see that the interface is port1, source all, destination 300E-Public (which is my public IP), the Service is SIP and the schedule is Always.

On policy 2, we are blocking all traffic destined to the firewall’s public IP source from any network in my Blocked-Countries Address group.

These policies are not logged by default, and as such, you need to configure the firewall to log local traffic. This is done under the Log & Report, Local Traffic.

Above, you can see traffic that has been dropped destined to my public IP.

You can modify the behavior by changing the settings under…

Interface Policies

The other optional configuration I like to do is ‘Interface Policies’. With Interface Policies, you can apply security profiles to traffic destined to the Firewall itself.

config firewall interface-policy
    edit 1
       set logtraffic all
       set interface "port1"
       set srcaddr "all"
       set dstaddr "300E-Public"
       set service "ALL"
       set ips-sensor-status enable
       set ips-sensor "Interface-Firewall-Sensor"
    next
end

Above, you can see that I have enabled the IPS profile of all_default destined to the public IP of the Fortigate.

After enabling this policy, I immediately picked up a signature from a China site trying to run some exploits against my Fortigate.

Disclaimer: I configured this IPS policy BEFORE I configured the Blocked-Countries Local-in policy.

Here we can see that Minute Ago I saw this attack and the firewall subsequently dropped the packet.

Here we can see some of the specifics of the attack such as source, destination, etc.

NOTE: Beware of the excessive logging, since I do not have to pay for FAZ storage or GB per day, it is fine for me, but your mileage may vary.

Enhancing the security TO the Fortigate, not just THROUGH it.

Trusted Hosts

Local-In Policies

Interface Policies

Recent posts