Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff & Editor
Staff & Editor

Created on ‎08-04-2024 04:56 PM

Article Id 330184

Technical Tip: Understanding FSBP ND06.1 in the Security Rating Report ('No third party router or NAT devices should be detected in the network')

Description This article describes Fortinet Security Best Practice (FSBP) ND06.1, which recommends that 'No third party router or NAT devices should be detected in the network'.
Scope FortiGate.
Solution

Generally speaking, the recommendations made within the FSBP assume that the administrator is utilizing an all-Fortinet deployment (i.e. FortiGates, FortiSwitches, FortiAP) so that they can leverage the benefits of the Fortinet Security Fabric (i.e. increased network visibility and centralized management).

 

FSBP ND06.1 assumes that replacing a third-party router/NAT device (aka Layer 3 network devices) with a FortiGate is an improvement for the network, as it would allow the administrator to expand the Security Fabric and thus the scope of network visibility. Similarly, the presence of an unexpected router/NAT device (such as an end-user connecting a personal router/wireless access-point to the downstream network) could be a potential security concern that would be flagged as a failure for FSBP ND06.1.

 

Side note: the Device Detection/Identification feature on Fortinet products operates at a Layer 2 level and creates device entries based on MAC address. This means that any devices that are separated from the FortiGate by a Layer 3 router/NAT device would be difficult or even impossible for the FortiGate to detect and identify properly (leading to reduced network visibility for the administrator).

 

However, it is not always feasible (or even necessary) to replace third-party devices with Fortinet equivalents. There are many situations where a third-party router/NAT device needs to be used, such as pre-existing/legacy infrastructure that cannot be upgraded, or when relying upon connections to equipment owned and operated by a different team or company (e.g. an ISP router or a connection within a colocation datacenter).

 

Consider the following recommendations regarding FSBP ND06.1:

  • ND06.1 assesses the list of assets found with Device Detection/Identification. Consider disabling device identification on network interfaces that are known to connect to third-party infrastructure (such as interfaces that are marked with the WAN role) so that they do not factor into ND06.1.
  • Additionally, keep in mind that ND06.1 is a recommendation and not a hard security rule. It is acceptable to not meet/pass this recommendation as long as there is a clear understanding about the potential downsides (e.g. reduced network visibility from the FortiGate for anything behind a third-party router/NAT device).

 

Related articles:
Labels:
740
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.