Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiDave
New Contributor III

Fortigate Security Audit

Hi all,

 

Ive to carry out a security audit on a customers FGT firewall ruleset, and configuration.

 

Im wondering could I get some recommendations from the community on best approaches here i.e. maybe some commands for getting valuable outputs, or other not so obvious security checks for FGTs?

 

Thanks all.

3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Hello Dave,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Regards,

Anthony-Fortinet Community Team.
Markus_M
Staff
Staff

Hi Dave,

 

the best practices can be filling an entire page. Most important is to truly know what the rule set is doing and then to minimize access.

 

Firewall rulesets are evaluated top-down and will, if no rules match, drop this traffic.

"Traffic" here means srcIP:srcport<>dstIP:dstport (and FSSO group, if any). That set will always be evaluated anew if not already known to the firewall in that combination.

You need to know the network that the firewall is protecting. Expected traffic from outside to inside may be allowed, explain why is it expected?

Sometimes I see rule sets that seem to use only one source interface to one destination interface (wan) which I personally think is a no-go-design unless there is another firewall segregating traffic before this firewall. It should be physically different interfaces for different networks.

On FortiGate you can have security profiles that will be executed after the firewall policy match, these can help to increase security, but only if you got deep inspection running and working.

 

The valuable information will also be only valuable if you know exactly what to explain.

For authentication part "diag firewall auth list" gives some output for what users are authenticated to the firewall (if any). Other commands depend very well on what is to be displayed.

 

If I were an auditor and would ask random questions, I would ask for example:

- If the printer here is disconnected and I attach my laptop, would I have access to company resources?

- Are your network switches or the firewalls physically accessible to anyone? Is there level of access enforcement?

- If an employee infects his or her system with malware, how can you contain it quickly and effective? How will you see this in the firewall logs? Will you receive any report? FortiAnalyzer can help here if available and properly set up with the FortiGate.

 

Hope that gives a little guide. This is by no means complete, but has some things listed that I'd expect.

 

Best regards,

 

Markus

 

 

FortiDave
New Contributor III

Hi Marcus, thank you for the update, Ive only seen it now.

 

Below is my report headings, should it help someone else on the community.

 

Configuration Review ................................................................................................7

5.1.  System Resources ........................................................................................................ 7

5.2.  Hostnames .................................................................................................................. 7

5.3.  FortiOS Version ............................................................................................................ 7

5.4.  HA ............................................................................................................................... 8

5.5.  System Events.............................................................................................................. 8

5.6.  Licensing & FortiGuard ................................................................................................. 8

5.7.  Monitoring / SNMP ...................................................................................................... 9

5.8.  System Timezone ......................................................................................................... 9

5.9.  System Interfaces......................................................................................................... 9

5.10.  Administrative Accounts & Trusted Hosts ................................................................... 10

5.11.  User & Authentication ............................................................................................... 10

5.12.  VPNs.......................................................................................................................... 11

5.12.1.  IPSEC ..........................................................................................................................................11

5.12.2.  SSL VPN......................................................................................................................................11

5.13.  Firewall VIPs / NATs ................................................................................................... 12

5.14.  Firewall Policy............................................................................................................ 12

5.14.1.  Rules with ANY defined as the Source, Destination and/or Service in the rule .......................12

5.14.2.  Logging On Rules .......................................................................................................................13

5.14.3.  Test/Temporary Rules ...............................................................................................................13

5.14.4.  Disabled Rules ...........................................................................................................................13

5.14.5.  Group Source, Destination & Service Objects (when needed) .................................................13

5.14.6.  Unused (No Hits) Rules..............................................................................................................14

5.14.7.  Rule Commenting ......................................................................................................................14

5.14.8.  Rule Order Optimisation for Performance Improvements .......................................................15

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors