Technical Tip: Best practices for firewall policy configuration on FortiGate

Description

This article describes the best practices for firewall policy configuration on FortiGate.

Scope

FortiGate.

Solution

1. Configuring the FortiGate with an ‘allow all’ traffic policy is very undesirable. While this does greatly simplify the configuration, it is less secure. As a security measure, it is a best practice for the policy rule base to ‘deny’ by default, rather than the other way around.
   
   
2. On a heavy-loaded system, plan configuration changes during low usage periods to minimize impact on CPU usage.
   Changes to the Firewall policy configuration may cause the established sessions to be marked dirty requiring CPU processing for re-evaluation. In this scenario, it is considered a best practice to optimize the following configuration before applying firewall policy changes. For additional information, refer to the Firewall Sessions Dirty Check Feature.

3. Avoid using 'any' interface as either the source or the destination interface in a firewall policy that allows traffic. Instead, use specific interfaces along with specific addresses/subnets in the firewall policies. This granular approach will filter out any unexpected traffic and only allow the necessary traffic. Additionally this decreases the chances of any potential audit and compliance issues.
    
    
4. FortiGate allows the creation of IP/MAC filtering policies using ZTNA tags to provide an additional factor for identification and security posture checks to implement role-based zero-trust access.
   Refer to the example ZNTA IP MAC Filtering Example 
    
    
5. FortiOS supports flow-based and proxy-based inspection in firewall policies. 
    

• Flow-based inspection takes a snapshot of content packets and uses pattern matching to identify security threats in the content.
• Proxy-based inspection reconstructs content that passes through the FortiGate and inspects the content for security threats.
• Proxy mode provides the most thorough inspection of the traffic. However, its thoroughness sacrifices performance, making its throughput slower than that of a flow-mode policy.
• Choose the inspection mode as appropriate to the business needs and based on the capabilities of the hardware.
• For additional information, refer to Firewall Inspection Modes.

• To make effective use of the system resources, only the UTM profiles that align with the network and business needs must be enabled on the firewall policies.
• Enabling UTM profiles that are not relevant to the traffic handled by the firewall policy can impact system performance and leave gaps in the network's security posture. A few recommendations are listed below.

6. The FortiGuard Antivirus Service is a comprehensive antivirus solution that helps organizations of all sizes protect their critical assets from malware.
   • FortiGate can be configured to apply antivirus protection to HTTP, FTP, IMAP, POP3, SMTP, CIFS, and NNTP sessions. Proxy-based antivirus profiles also support MAPI and SSH protocols.
   • To view the configuration options of an antivirus profile, refer to Configuring Anti-Virus on FortiGate.
   • Enable the antivirus profile on the firewall policy configuration to activate this inspection.
   • SSL Deep packet inspection must be enabled to inspect the data exchanged through encrypted communications (HTTPS).
    
7. It is essential to defend against potential intrusions targeting the public-facing services hosted in the network. Given the exposure of these services, they are prime targets for malicious entities.
   • For a web server hosted using VIP/Virtual Server configurations on the firewall, enable an IPS sensor in the firewall policy to block attack traffic targeting the relevant services. 
   • FortiGate offers a suite of IPS signatures tailored to defend specific software and services from attacks.
   • Create an IPS Sensor and enable the relevant signatures for the software/services used in the network environment. 
   • Configure the action for these signatures to 'block' to ensure potential attacks are halted at the firewall.
   • The IPS sensor must then be enabled in the firewall policy to preemptively stop any known threats from exploiting vulnerabilities in the system or the enabled services.
   • For additional information about configuring IPS profiles, refer to Configuring IPS Sensor on FortiGate.
   • SSL Deep packet inspection must be enabled to inspect the data exchanged through encrypted communications (HTTPS).
    
    
8. The DNS Filter profile enabled in the firewall policy can scan DNS traffic traversing the FortiGate.
   • DNS resolutions attempted for various internet or locally hosted websites can be effectively controlled by the use of DNS filter profile configuration.
   • To view the configuration options of a DNS Filter profile, refer to Configuring DNS Filter Profile on FortiGate.
    
    
9. To control the usage or access to Internet websites or to locally hosted webpages, a web filter profile must be enabled in the firewall policy.
   • FortiGate finds the hostname of the website during the SSL/TLS handshake phase and queries FortiGuard to identify the website category to take appropriate action as configured under the webfilter profile configuration.
   • Additionally, access to the Locally hosted private domains/URLs/URL paths can be controlled with the use of URL filter configuration within web filter profile.
   • To view the configuration options of a Web Filter profile, refer to Configuring Web Filtering on FortiGate.
   • SSL Deep packet inspection must be enabled to specifically inspect URL paths within HTTPS communication.
    
    
10. Application control profile enabled in the firewall policy can recognize application traffic even if the traffic uses non-standard ports or protocols.
    • To view the configuration options of an Application Filter profile, refer to Configuring Application Control Profile on FortiGate.
    • SSL Deep Packet Inspection must be enabled to allow FortiGate to inspect application traffic that uses encrypted communication protocols, such as HTTPS.
     
     
11. File Filter and DLP configuration in the firewall policy will control the flow of different types of files/data passing through FortiGate.
    To find the list of supported file types for scanning, refer to supported file types.
     
     
12. Additionally, if the network manages email and VOIP communications, FortiGate supports Email Filtering and VOIP inspection to protect against related attacks.
    • To view email filter options, refer to Configuring Email Filter Profile on FortiGate.
    • To view VOIP inspection options, refer to Configuring VOIP Inspection on FortiGate.
     
     
13. Enable the SSL Inspection profile in the firewall policy for inspecting encrypted communications allowed by the policy.
    • When the certificate inspection method is selected, FortiGate only inspects the headers up to the SSL/TLS layer.
    • Deep Packet Inspection on the other hand performs a more thorough examination by decrypting the traffic payloads for UTM inspection.
    • To view the configuration options of an SSL Inspection profile, refer to Configuring SSL Inspection Profile on Firewall Policy.
     
     
14. Virus, Vulnerabilities, and Attack vectors evolve over time. Having an active FortiGuard subscription ensures FortiGate receives new and revised signatures/application databases automatically as they are developed and provides up-to-date protection.
    For additional details about the FortiGuard subscription, refer to the FortiGuard Ordering Guide.
     
     
15. FortiGate Network Processors (NP) on the Physical Hardware platform device support traffic acceleration by offloading traffic from the main CPU. 
    Ensure the firewall policies have the below settings enabled to make effective use of the system CPU resources.
    
    
    config firewall policy
        edit <policy_id>
            set auto-asic-offload enable
            set np-acceleration enable
    end
     
     
16. DoS attacks aim to overwhelm the locally hosted systems/services, making them unavailable. The large number of sessions slows down or disables the target system, preventing legitimate users from using it.
    • Configuring DoS policies can mitigate these threats effectively.
    • To view the configuration options within DoS policies, refer to Configuring DoS Policies on FortiGate.
    • The threshold determines the maximum number of sessions or packets per second which is deemed as within normal levels.
    • If incoming traffic exceeds this threshold, the specified action is initiated.
    • It is crucial to find a balance when configuring this threshold. High Thresholds may fail to detect actual DoS attacks.
    • Low Thresholds can lead to false positives, blocking legitimate traffic.

1. Geo-Blocking: If the services do not require global access, consider implementing geo-blocking. Restricting access to specific regions can drastically reduce the attack surface.
2. Traffic Analysis: Regularly analyze traffic patterns using FortiAnalyzer, FortiGate Traffic/Event logs, or similar tools. Such analysis can give insights into potential threats and help fine-tune policies.
3. Stay Updated: Security is a dynamic field. Regularly follow Fortinet's advisories, forums, and community discussions to be aware of emerging threats and recommended configurations.