Technical Tip: FortiGate Checklist to meet common compliance standards (PCI‑DSS, ISO 27001, NIST 800‑53, HIPAA): What to block and what to enforce

Description

This article describes the Compliance frameworks that require a perimeter firewall (FortiGate) to block insecure services, enforce strong authentication, log all relevant traffic, and protect management interfaces.

Scope

FortiGate.

Solution

If the device is left with default‑allow rules, legacy protocols, or insufficient logging, auditors will flag non‑conformities that can lead to remediation costs or loss of certification.

The checklist below translates the high‑level control requirements of the major standards into concrete FortiGate and FortiAnalyzer settings, and shows exactly which protocols, ports, and traffic types should be blocked and which controls must be enabled for the firewall to be considered 'compliant'.

• Disable/Remove all default‑allow policies:
  
  

config firewall policy
delete <policy-id>      -(any policy that has source=all, destination =all, service=ALL).

end

end

• Block other management protocols except as below.

1. Interface‑level:
   
   

config system interface
set allowaccess ping https ssh    
end

end

2. Policy‑level: Configure a local-in policy to deny all traffic to the FortiGate management ports from any source, explicitly exempting the authorised management IP address.

• Restrict management access to trusted IPs / VPN only.

3. Create a dedicated admin‑vpn address object (e.g., corporate IP range).
   
   

config firewall address
edit admin-vpn
set subnet <x.x.x.x  y.y.y.y>
end

end

Then create a policy: src = admin‑vpn → dst = FortiGate → service = HTTPS/SSH → action = accept.

• Enforce multi‑factor authentication (MFA) for admin accounts.

  System → Admin → Edit each admin → Enable Two‑Factor Authentication (FortiToken, Duo, etc.).

• Block legacy cryptographic protocols.
  
  

1. SSL/SSH inspection profile: set ssl-min-proto-version TLSv1.2

2. SSH: set ssh-keys-hash sha256

3. Disable SSL‑VPN SSL‑v3/DTLS‑v1.0.

• Enable and enforce Application Control/IPS for all inbound/outbound traffic.
  
  

1. Create an IPS sensor with a default‑action block for critical CVEs; attach to all policies.

2. Create an Application Control profile that blocks 'P2P', 'File‑Sharing', and 'Remote‑Desktop' unless explicitly allowed.

• Log all traffic that traverses the firewall:
  
  

config log setting 
set logtraffic all
end

Set the log forward to FortiAnalyzer/FortiSIEM.

• Synchronise time to an authorised NTP server:
  
  

config system global → set ntpserver "time.nist.gov" → set timezone <region>.

• Patch management: Enable Auto‑Update or schedule weekly check.
  
  

 config system auto-update schedule → set status enable

• Restrict outbound Internet access for management and critical servers

  Create a policy: source = internal‑servers → destination = any → service = DNS, HTTPS, NTP → action = accept; deny everything else.

• Set up regular compliance scans and alerting.
  
  

1. Use FortiGuard Vulnerability Scan or integrate Nessus/OpenVAS; schedule daily scans.

2. Configure alerts: config log alert-setting → set severity alert → set event-type traffic‑violation.

• Document change‑control workflow. Enable CLI audit in FortiGate:
  
  

config system global
set cli-audit-log enable
end

• Backup configuration after every change and encrypt the backup:
  
  

execute backup config SFTP <ip add> <port number> <username> <password>

• Test the hardened firewall (e.g., PCI DSS internal & external scans).

Run Qualys PCI‑DSS scan from an external IP; run Nessus internal scan. Verify no violations.

Document to refer: Hardening.