Technical Tip: Implementation Guide to enable micro-segmentation

A secure OT network is typically designed and modeled after the Purdue Enterprise Reference Architecture (PERA) framework and IEC 62443 Zones and Conduits. In this model, different layers and zones are defined from layer 0 to layer 5 in the following way:

More information can be viewed in the OT Asset Visibility guide (OT asset visibility - FortiGate administration guide).

To secure the OT network, devices in different layers and zones are separated using conduits from each other to provide clear segmentation. This reduces the risk of an attack affecting the entire system and to be in compliant to various regulatory and compliance needs.

Translating this into features of the firewall, a FortiGate along with FortiSwitch and FortiAP can utilize Virtual Local Area Networks (VLANs) and Service Set Identifiers (SSIDs) to create multiple functional zones. This allows only authorized devices, applications and users to interact between zones, where the firewall acts as the gatekeeper and conduit to enforce the zone boundaries.

Micro-segmentation can be deployed to provide granular segmentation by blocking intra-VLAN traffic directly on the FortiSwitch. Micro-segmentation provides segmentation within a single broadcast domain. For example, two devices communicating in the same VLAN or Subnet can be forced to communicate through the FortiGate, thus helping the Operations and Security Teams to monitor, detect and enforce any policies.

To configure FortiGate to block ingress and egress traffic on the same interface from the CLI:

Step 1: Ensure Intra-VLAN Traffic blocking is possible:

'allow-traffic-redirect' is enabled by default, which allows packets with the same ingress and egress interface (such as intra-VLAN traffic) to pass through the FortiGate. This configuration must be disabled before blocking intra-VLAN traffic.

config system global     set allow-traffic-redirect disable end

Step 2: To configure a FortiSwitch VLAN and block intra-zone traffic from the GUI:

1. Go to WiFi & Switch Controller -> FortiSwitch VLANs and select Create New.
2. Enter a Name.
3. Enter a VLAN ID.
4. Under Network, enable Block intra-VLAN traffic.
5. Select OK.

Note: For existing VLANs, only steps 4 and 5 above need to be completed.

To configure from the CLI:

config system interface     edit "Zone1"         set vdom "root"         set device-identification enable         set role lan         set switch-controller-access-vlan enable         set interface "fortilink"         set vlanid 1001     next end

Step 3: Create Proxy-ARP on the FortiGate:

When intra-VLAN traffic blocking is enabled, to allow traffic between hosts the proxy (Address Resolution Protocol), ARP must be configured with the 'config system proxy-arp' CLI command and by setting up a firewall policy. When traffic is blocked by FortiGate, the destination host cannot reply to the proxy-arp request sent by the source host, so the proxy-arp configuration is requested. FortiGate will reply to the proxy-arp requests to allow communication between hosts when a firewall policy permits that traffic.

config system proxy-arp     edit 1         set interface "V100"         set ip 1.1.1.1         set end-ip 1.1.1.200     next end

Note: The proxy-arp only supports /24 subnets. For subnets larger than /24, multiple /24 proxy ARPs must be created.

Step 4: Create Firewall Policy to allow Intra-VLAN Traffic:

Once multiple VLANs are configured, traffic must be explicitly allowed between the VLAN zones or IP addresses by creating specific firewall policies. The direction of traffic can be also chosen. When defining a policy for inter/intra-zone traffic, it is also recommended applying Intrusion Prevention Solution (IPS) and Application profile to inspect traffic at Layer 7 using OT signatures to prevent lateral movement of malicious traffic in case a device is breached and to apply virtual patch to hide the vulnerabilities from being discovered or exploited.

To enable OT IPS and Application Control signatures:

config ips global     set exclude-signatures none end

To include OT Application Control signatures:

Go to Security Profiles -> Application Control and select Create New.

1. Enter a unique name for the sensor.
2. Select Categories (monitor, allow, block, or quarantine).
3. Select Operational Technology Signatures for entire coverage or choose a specific protocol in the list by using the override option.
4. Select OK to save.

To set up configuration in the CLI:

config application list     edit "Industrial-Monitor"         set comment "Monitor Industrial applications."         set other-application-log enable         set unknown-application-log enable                next end

For detailed override creation, see Advanced Threat Protection for Industrial Control Systems and Operational Technology.

To Include OT IPS signatures:

1. Go to Security Profiles -> Intrusion Prevention.
2. Enter a unique name for the sensor.
3. Select Create New.
4. Select an Action (Allow, Monitor, Block, etc).
5. Filter the applications and select SCADA and more entries relevant to the environment.
6. Select OK to save.

To configure it in the CLI:

config ips sensor     edit "Industrial-IPS-Signatures"         config entries             edit 1                 set application SCADA                 set action pass             next         end

To configure a firewall policy to allow inter-VLAN traffic with IPS inspection and Application Control:

1. Go to Policy & Objects -> Firewall Policy.
2. Select Create New.
3. Enter a Name.
4. Select the Incoming interface.
5. Select the Outgoing interface.
6. Select the Source and Destination.
7. Select the Service.
8. Disable NAT if devices have routes to reach each other.
9. Enable IPS and select the IPS profile.
10. Enable Application Control and select the Application control profile.
11. Select an SSL Inspection profile.
12. Select OK to save.

To set up configuration in the CLI:

config firewall policy     edit 0         set name "Zone2to1"         set srcintf "Zone2"         set dstintf "Zone1"         set action accept         set srcaddr "all"         set dstaddr "all"         set schedule "always"         set service "ALL"         set utm-status enable         set ssl-ssh-profile "certificate-inspection"         set ips-sensor "Industrial-IPS-Signatures"         set application-list "Industrial-Monitor"         set logtraffic all     next end

Step 5: Ensure Availability of Connection.

FortiGate manages FortiSwitch, which is also known as using a FortiSwitch in FortiLink mode. FortiLink defines the management interface and the remote management protocol between the FortiGate and FortiSwitch.

In a scenario where FortiGate connection is lost, it is important to select a correct configuration, whether it is fail-open or fail-close. If fail-open is selected, the device can communicate without interruption, whereas fail-close will block the traffic. Fail-open is recommended for OT systems to ensure availability.

config switch-controller fortilink-settings     edit "<FortiLink_interface>"         set access-vlan-mode { legacy | fail-open | fail-close}     next end

For more tips and references on securing the OT network, see OT network segmentation and microsegmentation - Fortinet guide.