Friday, September 17, 2010

Securing Firewall Administrator Access to Fortigates


One feature which is often times overlooked is the ability to lock down the firewall interfaces from accepting any type of administrative traffic attempts. This is very useful for further enhancing the security of the firewall itself and making reconnaissance attempts that much more difficult.

By default you can connect to any firewall interface which has administrative traffic enabled, for example:
  • The firewall internal interface is configured for 192.168.1.1/24 and to accept ping, https and ssh
  • The trusted hosts for your admin account are configured for 0.0.0.0/0 and you only have one account configured
  • You are located on the 192.168.44.0 network and can reach the firewall's internal interface via a router
  • You can ping the firewall and access the login screens for the web gui as well connect to port 22 to attempt to authenticate via SSH. If you provide the correct credentials for the admin user you will be granted access.
Now let's say you want the to lock down the firewall to a point where users outside the 192.168.1.0 network cannot even ping the firewall or access the web gui. Proceed as follows:
  • Under System -> Admin edit the appropriate user
  • Set Trusted Host #1 to 192.168.1.0/24 and ignore the other two
Now any user not on the 192.168.1.0/24 network cannot ping, https or ssh to the firewall even though these services are enabled on the interface. You can also specify the trusted host to be a single IP address by using a /32. For example setting your trusted host to 192.168.1.42/32 (or 192.168.1.42/255.255.255.255) would only permit a single machine to connect to the firewall for administrative purposes. You can specify up to a total of three separate trusted hosts or networks.

Multiple Administrator Accounts

If you have multiple administrator accounts defined be aware that all of the trusted hosts for all accounts need to be configured exactly the same for this to work as shown in the next screenshot.


If any of the trusted hosts defined are different when compared between admin accounts the interfaces will be reachable again. However you will of course only be able to login if your IP address matches the trusted hosts defined in your admin account.


Also make sure you remember that your firewall interfaces are locked down so you don't start wondering why all of a sudden your firewall no longer responds to pings. (That has of course never happened to me ;)
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)