Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
qpham1
Staff
Staff

Created on ‎08-27-2024 11:45 PM Edited on ‎08-28-2024 01:44 AM By Moderator

Article Id 335374

Technical Tip: Restricting FortiGate connectivity in a Airgap Environment

Description This article describes how to restrict self-generating traffic from FortiGate toward FortiGuard.
Scope FortiGate.
Solution

In a situation where FortiGate is connected to a FortiManager which acts as a FortiGuard server, it is necessary to block traffic sourced from FortiGate to reach the FortiGuard server.

 

The first solution is to put all that traffic in a Group and then create a static route for that Group to be blackholed.

config firewall address

    edit "FQDN-DIRECTREGISTRATION.FORTINET.COM"
        set uuid 5c10dfac-3360-51ef-647d-a329f4a06ba7
        set type fqdn
        set allow-routing enable
        set fqdn "DIRECTREGISTRATION.FORTINET.COM"
    next
    edit "FQDN-GLOBALDEVCOLLECT.FORTINET.NET"
        set uuid a8e1be82-3360-51ef-321f-a145ef6f7702
        set type fqdn
        set allow-routing enable
        set fqdn "GLOBALDEVCOLLECT.FORTINET.NET"
    next
    edit "FQDN-GLOBALDEVQUERY.FORTINET.NET"
        set uuid bb3f3f0a-3360-51ef-c0b5-a4d6c64bb3d9
        set type fqdn
        set allow-routing enable
        set fqdn "GLOBALDEVQUERY.FORTINET.NET"
    next
    edit "FQDN-MSGCTRL1.FORTINET.COM"
        set uuid cd1e98ba-3360-51ef-fc4e-a7f932b612f0
        set type fqdn
        set allow-routing enable
        set fqdn "MSGCTRL1.FORTINET.COM"
    next
    edit "FQDN-PRODUCTAPI.FORTINET.COM"
        set uuid dcc194f2-3360-51ef-0744-a121387d6181
        set type fqdn
        set allow-routing enable
        set fqdn "PRODUCTAPI.FORTINET.COM"
    next
    edit "FQDN-SECUREGIP.FORTINET.NET"
        set uuid f45330a8-3360-51ef-7fcc-46fe3a4a3b44
        set type fqdn
        set allow-routing enable
        set fqdn "SECUREGIP.FORTINET.NET"
    ext
end
config firewall addrgrp
    edit "GRP-FortiGuard-Public-FQDNs"
        set uuid 8abe3df4-3360-51ef-bc55-d9c73854b1e3
        set member "FQDN-DIRECTREGISTRATION.FORTINET.COM" "FQDN-GLOBALDEVCOLLECT.FORTINET.NET" "FQDN-GLOBALDEVQUERY.FORTINET.NET" "FQDN-MSGCTRL1.FORTINET.COM" "FQDN-PRODUCTAPI.FORTINET.COM" "FQDN-SECUREGIP.FORTINET.NET"
        set allow-routing enable
    next
end

config router static
    edit 99
        set blackhole enable
        set comment "Block local-out to public FortiGuard Servers"
        set dstaddr "GRP-FortiGuard-Public-FQDNs"
    next
end

 

The second solution is to completely block FortiGate to the cloud communication by disabling 'cloud-communication' and the 'fortitoken-cloud' under get system global.

 

get system global

cloud-communication : enable

fortitoken-cloud : enable

 

config system global
    set cloud-communication : disable
    set fortitoken-cloud : disable

      end

 

It is possible to check with the diag debug rating:

 

diag debug rating
Locale : english

Service : Web-filter
Status : Disable

Service : Antispam
Status : Disable

Service : Virus Outbreak Prevention
Status : Disable

 

The GUI images showed self-generating traffic before and after the solutions
190
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.