Securing Fortimanager on Azure

Forum|Forum|3 years ago
July 26, 2022
1 reply
988 views

Hi,

I wonder if connecting fortigates to a central management (Fortimanager VM on Azure) using Internet is a best practice about security. Would it be better to add an ipsec layer ? Surely right but only for this kind of traffic ?

Thanks for your point of view

Regards

Oliver

Yurisk

SuperUser

It depends if you have some legal/compliance requirements to put anything inside IPSec. In case you don't have such limitations, I personally see no added value - all communication between Fortigate and Fortimanager is already encrypted with TLS using quite high encryption algos: by default the encryption set is set to "high" and if it is relatively recent versions of FGT/FMG (like 6.2 or later), it means the tunnel is encrypted with

ECDHE-RSA-AES256-GCM-SHA384 , DHE-RSA-AES256-GCM-SHA384 , ECDHE-RSA-AES128-GCM- SHA256.

Detailed discussion of the FGFM protocol can be found here https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/067f5236-ca6d-11e9-8977-00505692583a/FGFM-6.2-Communications_Protocol_Guide.pdf

Edit: of course securing management access to the FMG is a must, either with Azure or your own means.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded