FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 193255


This article describes best practices for policy configuration.





Policy configuration.

Configuring the FortiGate with an ‘allow all’ traffic policy is very undesirable.
While this does greatly simplify the configuration, it is less secure.
As a security measure, it is best practice for the policy rule base to ‘deny’ by default, and not the other way around.

Policy configuration changes.

On a heavy-loaded system, plan configuration changes during low usage periods in order to minimize impact on CPU usage and established sessions.
In this scenario, it is considered a best practice to de-accelerate the hardware-accelerated sessions.

Configure de-accelerated behaviour on hardware-accelerated sessions using CLI commands to control how the processor manages policy configuration changes.
The following CLI commands are to be used:

# config system settings
    set firewall-session-dirty { check-all | check-new | check-policy-option }

Policy allowlisting.

- Allow only the necessary inbound and outbound traffic.
- If possible, limit traffic to specific addresses or subnets. This allows the FortiGate to drop traffic to and from unexpected addresses.

IPS and DoS Policies:

1. Importance of IPS: It's essential to defend against potential attacks targeting public-facing services. Given the exposure of these services, they are prime targets for malicious entities.

  • IPS Signatures for Public Services: If there is a web server or other public-facing service, set up the IPS to block signatures associated with these services. This preemptively stops known threats from exploiting vulnerabilities in the services.

2. FortiGate’s IPS Signatures for Software Protection: FortiGate offers a suite of IPS signatures tailored to defend specific software titles from DoS attacks.

  • Action on Match: Enable the relevant signatures for the software used and configure their actions to block, ensuring potential attacks are halted at the firewall.

3. Importance of FortiGuard IPS Subscription: Vulnerabilities and attack vectors evolve over time. Having an active FortiGuard IPS subscription ensures:

  • Regular Updates: the FortiGate will automatically receive new and revised IPS signatures as they're developed, ensuring up-to-date protection.

4. Configuring DoS Policies: DoS attacks aim to overwhelm services, making them unavailable. Properly setting up DoS policies can mitigate these threats.

  • Setting Thresholds: The threshold determines the maximum number of sessions or packets per second deemed as normal traffic. If incoming traffic exceeds this threshold, the specified action is initiated. It's crucial to find a balance when setting this threshold:

    • High Thresholds: Might fail to detect actual DoS attacks.
    • Low Thresholds: Can lead to false positives, blocking legitimate traffic.
  • Tuning the Threshold: While default threshold values are a good starting point, they might not align with the network's specific requirements. Here’s a methodical approach to fine-tuning:

    1. Initial Setup: Configure the DoS policy action to "Pass" and turn on logging.
    2. Monitor & Analyze: Review the logs over a set period, noting how regular traffic patterns manifest.
    3. Adjustment: Gradually modify the threshold values. Aim to discern the point where normal traffic patterns start to trigger attack warnings.
    4. Finalize Threshold: Once identified, set the threshold slightly above this point. Consider the desired margin for safety—smaller margins offer better protection but might lead to more false positives.

5. Additional Information:

  • Geo-Blocking: If the services don't require global access, consider implementing geo-blocking. Restricting access to specific regions can drastically reduce the attack surface.

  • Traffic Analysis: Regularly analyze traffic patterns using FortiAnalyzer or similar tools. Such analysis can give insights into potential threats and help fine-tune policies.

  • Stay Updated: Security is a dynamic field. Regularly follow Fortinet's advisories, forums, and community discussions to be aware of emerging threats and recommended configurations.

Remember, while technology provides a solid defense, continuous monitoring and proactive management are vital to ensure the security of the systems.