Description
This article describes best practices for policy configuration.
Scope
FortiGate.
Solution
Policy configuration.
Configuring the FortiGate with an ‘allow all’ traffic policy is very undesirable.
While this does greatly simplify the configuration, it is less secure.
As a security measure, it is best practice for the policy rule base to ‘deny’ by default, and not the other way around.
Policy configuration changes.
On a heavy-loaded system, plan configuration changes during low usage periods in order to minimize impact on CPU usage and established sessions.
In this scenario, it is considered a best practice to de-accelerate the hardware-accelerated sessions.
Configure de-accelerated behaviour on hardware-accelerated sessions using CLI commands to control how the processor manages policy configuration changes.
The following CLI commands are to be used:
# config system settings
set firewall-session-dirty { check-all | check-new | check-policy-option }
end
IPS and DoS Policies:
1. Importance of IPS: It's essential to defend against potential attacks targeting public-facing services. Given the exposure of these services, they are prime targets for malicious entities.
2. FortiGate’s IPS Signatures for Software Protection: FortiGate offers a suite of IPS signatures tailored to defend specific software titles from DoS attacks.
3. Importance of FortiGuard IPS Subscription: Vulnerabilities and attack vectors evolve over time. Having an active FortiGuard IPS subscription ensures:
4. Configuring DoS Policies: DoS attacks aim to overwhelm services, making them unavailable. Properly setting up DoS policies can mitigate these threats.
Setting Thresholds: The threshold determines the maximum number of sessions or packets per second deemed as normal traffic. If incoming traffic exceeds this threshold, the specified action is initiated. It's crucial to find a balance when setting this threshold:
Tuning the Threshold: While default threshold values are a good starting point, they might not align with the network's specific requirements. Here’s a methodical approach to fine-tuning:
5. Additional Information:
Geo-Blocking: If the services don't require global access, consider implementing geo-blocking. Restricting access to specific regions can drastically reduce the attack surface.
Traffic Analysis: Regularly analyze traffic patterns using FortiAnalyzer or similar tools. Such analysis can give insights into potential threats and help fine-tune policies.
Stay Updated: Security is a dynamic field. Regularly follow Fortinet's advisories, forums, and community discussions to be aware of emerging threats and recommended configurations.
Remember, while technology provides a solid defense, continuous monitoring and proactive management are vital to ensure the security of the systems.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.