Hi,
I wonder if connecting fortigates to a central management (Fortimanager VM on Azure) using Internet is a best practice about security. Would it be better to add an ipsec layer ? Surely right but only for this kind of traffic ?
Thanks for your point of view
Regards
Oliver
It depends if you have some legal/compliance requirements to put anything inside IPSec. In case you don't have such limitations, I personally see no added value - all communication between Fortigate and Fortimanager is already encrypted with TLS using quite high encryption algos: by default the encryption set is set to "high" and if it is relatively recent versions of FGT/FMG (like 6.2 or later), it means the tunnel is encrypted with
ECDHE-RSA-AES256-GCM-SHA384 , DHE-RSA-AES256-GCM-SHA384 , ECDHE-RSA-AES128-GCM- SHA256.
Detailed discussion of the FGFM protocol can be found here https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/067f5236-ca6d-11e9-8977-005056...
Edit: of course securing management access to the FMG is a must, either with Azure or your own means.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.