A secure OT network is typically designed and modeled after the Purdue Enterprise Reference Architecture (PERA) framework and IEC 62443 Zones and Conduits. In this model, different layers and zones are defined from layer 0 to layer 5 in the following way:

More information can be viewed in the OT Asset Visibility guide (OT asset visibility - FortiGate administration guide).

To secure the OT network, devices in different layers and zones are separated using conduits from each other to provide clear segmentation. This reduces the risk of an attack affecting the entire system and to be in compliant to various regulatory and compliance needs.

Translating this into features of the firewall, a FortiGate along with FortiSwitch and FortiAP can utilize Virtual Local Area Networks (VLANs) and Service Set Identifiers (SSIDs) to create multiple functional zones. This allows only authorized devices, applications and users to interact between zones, where the firewall acts as the gatekeeper and conduit to enforce the zone boundaries.

Micro-segmentation can be deployed to provide granular segmentation by blocking intra-VLAN traffic directly on the FortiSwitch. Micro-segmentation provides segmentation within a single broadcast domain. For example, two devices communicating in the same VLAN or Subnet can be forced to communicate through the FortiGate, thus helping the Operations and Security Teams to monitor, detect and enforce any policies.

To configure FortiGate to block ingress and egress traffic on the same interface from the CLI:

Step 1: Ensure Intra-VLAN Traffic blocking is possible:

'allow-traffic-redirect' is enabled by default, which allows packets with the same ingress and egress interface (such as intra-VLAN traffic) to pass through the FortiGate. This configuration must be disabled before blocking intra-VLAN traffic.

config system global
    set allow-traffic-redirect disable
end

Step 2: To configure a FortiSwitch VLAN and block intra-zone traffic from the GUI:

1. Go to WiFi & Switch Controller -> FortiSwitch VLANs and select Create New.
2. Enter a Name.
3. Enter a VLAN ID.
4. Under Network, enable Block intra-VLAN traffic.
5. Select OK.

Note: For existing VLANs, only steps 4 and 5 above need to be completed.

To configure from the CLI:

config system interface
    edit "Zone1"
        set vdom "root"
        set device-identification enable
        set role lan
        set switch-controller-access-vlan enable
        set interface "fortilink"
        set vlanid 1001
    next
end

Step 3: Create Proxy-ARP on the FortiGate:

When intra-VLAN traffic blocking is enabled, to allow traffic between hosts the proxy (Address Resolution Protocol), ARP must be configured with the 'config system proxy-arp' CLI command and by setting up a firewall policy. When traffic is blocked by FortiGate, the destination host cannot reply to the proxy-arp request sent by the source host, so the proxy-arp configuration is requested. FortiGate will reply to the proxy-arp requests to allow communication between hosts when a firewall policy permits that traffic.

config system proxy-arp
    edit 1
        set interface "V100"
        set ip 1.1.1.1
        set end-ip 1.1.1.200
    next
end

Note: The proxy-arp only supports /24 subnets. For subnets larger than /24, multiple /24 proxy ARPs must be created.

Step 4: Create Firewall Policy to allow Intra-VLAN Traffic:

Once multiple VLANs are configured, traffic must be explicitly allowed between the VLAN zones or IP addresses by creating specific firewall policies. The direction of traffic can be also chosen. When defining a policy for inter/intra-zone traffic, it is also recommended applying Intrusion Prevention Solution (IPS) and Application profile to inspect traffic at Layer 7 using OT signatures to prevent lateral movement of malicious traffic in case a device is breached and to apply virtual patch to hide the vulnerabilities from being discovered or exploited.

To enable OT IPS and Application Control signatures:

config ips global
    set exclude-signatures none
end

To include OT Application Control signatures:

Go to Security Profiles -> Application Control and select Create New.

1. Enter a unique name for the sensor.
2. Select Categories (monitor, allow, block, or quarantine).
3. Select Operational Technology Signatures for entire coverage or choose a specific protocol in the list by using the override option.
4. Select OK to save.

To set up configuration in the CLI:

config application list
    edit "Industrial-Monitor"
        set comment "Monitor Industrial applications."
        set other-application-log enable
        set unknown-application-log enable           
    next
end

For detailed override creation, see Advanced Threat Protection for Industrial Control Systems and Operational Technology.

To Include OT IPS signatures:

1. Go to Security Profiles -> Intrusion Prevention.
2. Enter a unique name for the sensor.
3. Select Create New.
4. Select an Action (Allow, Monitor, Block, etc).
5. Filter the applications and select SCADA and more entries relevant to the environment.
6. Select OK to save.

To configure it in the CLI:

config ips sensor
    edit "Industrial-IPS-Signatures"
        config entries
            edit 1
                set application SCADA
                set action pass
            next
        end

To configure a firewall policy to allow inter-VLAN traffic with IPS inspection and Application Control:

1. Go to Policy & Objects -> Firewall Policy.
2. Select Create New.
3. Enter a Name.
4. Select the Incoming interface.
5. Select the Outgoing interface.
6. Select the Source and Destination.
7. Select the Service.
8. Disable NAT if devices have routes to reach each other.
9. Enable IPS and select the IPS profile.
10. Enable Application Control and select the Application control profile.
11. Select an SSL Inspection profile.
12. Select OK to save.

To set up configuration in the CLI:

config firewall policy
    edit 0
        set name "Zone2to1"
        set srcintf "Zone2"
        set dstintf "Zone1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set ips-sensor "Industrial-IPS-Signatures"
        set application-list "Industrial-Monitor"
        set logtraffic all
    next
end

Step 5: Ensure Availability of Connection.

FortiGate manages FortiSwitch, which is also known as using a FortiSwitch in FortiLink mode. FortiLink defines the management interface and the remote management protocol between the FortiGate and FortiSwitch.

In a scenario where FortiGate connection is lost, it is important to select a correct configuration, whether it is fail-open or fail-close. If fail-open is selected, the device can communicate without interruption, whereas fail-close will block the traffic. Fail-open is recommended for OT systems to ensure availability.

config switch-controller fortilink-settings
    edit "<FortiLink_interface>"
        set access-vlan-mode { legacy | fail-open | fail-close}
    next
end

For more tips and references on securing the OT network, see OT network segmentation and microsegmentation - Fortinet guide.