FortiGate : 5 Admin Access Security Hardening Tips

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Fyi, the need to rename the default admin account before you can delete it was removed at some point in 6.2.x

Also, there is a hardening guide on the docs site that covers these tips and some more for every FortiOS release for anyone that's interested.

6.4

https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate

6.2

https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/612504/hardening-your-fortigate

6.0

https://docs.fortinet.com/document/fortigate/6.0.0/hardening-your-fortigate/612504/hardening-your-fortigate

There's also a good best practices guide to review.

πŸ‘οΈŽ︎ 3 πŸ‘€οΈŽ︎ u/jevilsizor πŸ“…οΈŽ︎ Jun 01 2020 πŸ—«︎ replies

What about local in policy? I never been a fan of trusted host IP because it makes the firewall listen to requests from unauthorized IP addresses.

πŸ‘οΈŽ︎ 2 πŸ‘€οΈŽ︎ u/supers3t πŸ“…οΈŽ︎ Jun 01 2020 πŸ—«︎ replies

2fa is the minimum, but if you want something good, site2site IPSec from your home office to work than use another additional tunnel to a jump station (ssh tunneling is good) that has access to a tightly controlled and monitored management network. The key word is monitored, use something like tripwire to catch brute force attempts. The point of the jump station is to air gap your management network.

πŸ‘οΈŽ︎ 2 πŸ‘€οΈŽ︎ u/simplefred πŸ“…οΈŽ︎ Jun 01 2020 πŸ—«︎ replies

Friendly warning/tip regarding 2FA for admin access.
When setting it up, make absolutely certain that you have a working alternative login method (different admin with already functional 2FA or no 2FA) until you have verified that your newly 2FA-ed admin login is actually functional.
People keep regularly cutting themselves off (either due to failing to activate the token, or just losing the activated token/phone) and the recovery is not fun.

πŸ‘οΈŽ︎ 2 πŸ‘€οΈŽ︎ u/pabechan πŸ“…οΈŽ︎ Jun 01 2020 πŸ—«︎ replies

1.) lock admin access down

2.) Use non-standard ports for access

3.) Configured trusted host addresses on accounts

4.) Delete default admin account

5.) enable mfa

Never been a fan of #2. And 10433 isn't very obscure either. Something like that is also a standard non-standard port like 8843, 8443, 7443, 4433 are.

Porting scanning is nothing and the effort it takes is the same. nmap is -F (fast) or -p- for (all ports). Typing both is 3 button presses. Once you are in, doing internal range across all 65k ports is no big deal either and doesn't take long. When I am told to use "obscure" ports on public IP addresses I typically get a shodan.io email within a week or two.

Security through obscurity isn't security, and using any port you want is fruit already on the ground whether it's 443 or 49854. And you are still gonna get scanned reguardless.

#2 should be strong passwords and use keys/MFA whenever allowed.

then #5 could be to setup an alert whenever someone logs into the firewall or makes a change.

πŸ‘οΈŽ︎ 1 πŸ‘€οΈŽ︎ u/red_dog007 πŸ“…οΈŽ︎ Jun 01 2020 πŸ—«︎ replies

Is there any difference between renaming the account and deleting it? I always rename the default admin account which takes care of someone trying to hit an account called 'admin'. Is there functionally any other risk beyond just the name?

πŸ‘οΈŽ︎ 1 πŸ‘€οΈŽ︎ u/nanonoise πŸ“…οΈŽ︎ Jun 02 2020 πŸ—«︎ replies

Great video, thanks for sharing.

You can also leverage Security Rating in FortiOS to pick up several of these cases:

  • Disabling administrative access on WAN ports (If β€œwan1” had the role of β€œWAN” instead of β€œLAN” this would work)
  • Configure β€œTrusted Hosts” for administrators
  • Change the default port for HTTPS & SSH

Enabling Two-Factor authentication will be supported in a future release.

πŸ‘οΈŽ︎ 1 πŸ‘€οΈŽ︎ u/jthompson-ftnt πŸ“…οΈŽ︎ Jun 05 2020 πŸ—«︎ replies
Captions
today we're going to discuss some simple things you can do to harden your FortiGate this won't make it hack proof but it will shrink the attack surface drastically stay tuned [Music] hey guys Mike here from for the net guru we all have for two gates that live in the wild very seldom are they actually deployed internally to our organization which means we have to use the internet to actually access them which means that if we're not using SSL VPN to connect to our device and then administer it from the inside you're running the chance that someone on the outside is going to be doing port scans or brute-force attacks against your device the first thing we want to do is obviously we want to make sure that our external access is locked down to the bare minimum and what I mean by that is we all have four two gates that have public facing IPS it might not be static but it is externally accessible first things we need to do there is make sure that the only access is absolutely necessary is enabled that means if you don't need paying on that interface turn ping off if you don't need HTTPS or HTTP or SSH etc turn it off because those are all ports that the device is listening on and that's what people are going to pick up on not to mention if they're enabled and you don't have trusted hosts on your actual accounts people can and if given enough time they will be successful on brute-forcing your account the way that you actually prevent administrative access on an interface is by going to the interface and for the sake of our video here when one is our external interface this is what people would actually be connecting by so we just go to win one click Edit now under administrative access these are the different methods that this device can be administrative Li communicated with ping is not so much of a security concern except that it does let someone know that that a device does live at that IP now this particular device I access it through this port and its internal to my network so having HTTP and SSH on here is perfectly fine if you're running for the manager and you're wanting to manage your device only from Florida manager then the only thing you really need enable is this fmg access one thing to consider when you're configuring the administrative access on your interface you need a backdoor and what I mean by backdoor is we've all been there we've made a policy change or some configuration change that's locked us out of our device now while you can automatically reset the FortiGate or rollback configs depending on what tools you're using the best option is just to give you another way in so what I usually do especially in situations where I'm managing it from a four the manager for the manager access is enabled and I have admin accounts that are local to the box specifically for fallback options and those actual accounts will have trusted host configurations within that means that they can only be logged into from certain IPS usually my office external IP and the internal network IP that way if I have to use TeamViewer or some remote access software I could just jump into that box hit the FortiGate from the inside interface and fix whatever I booked it up right so that's one thing you need to really take seriously when you're controlling your administrative access step two on in enabling your access from the outside is use non-standard ports everybody in their mother is scanning port 22 in port 443 for administrative access and on the FortiGate you can actually change what ports your device is listening to for that access so once you have the administrative access enabled on the FortiGate that you're desiring whether that be HTTP ssh HTTP etc that's the means into the device right so the next step is to actually configure the system settings to make those services listen for certain ports now by default your FortiGate listens on 443 for HTTPS administration port 22 for SSH port 80 for HTTP etc and those are almost always the common denominators across things in fact the only time that most people end up changing their HTTP port is because SSL VPN is utilizing it I like to disable redirect to HTTPS because that way they're not hitting an unsecured port and automatically finding our port that we're configuring to a high random and the reason why we're doing this is security through obscurity it makes it a little bit harder for them find you and what what I normally do is I make HTTP listen on 10 443 which is why if you look up here in order for me to access my box from an administrative perspective I have to use 10 443 as the port and then of course for SSH I use 2 2 4 4 3 till Nets 2 3 4 4 3 though I I hardly ever if ever actually utilized telnet so it's kind of a waste right so configure those 2 high random ports configuring your administrative services to be on ports that aren't your standard ports helps at least make you a little bit more difficult to find they're not going to be able to as easily find that admin log on page which means they're less likely to be able to crack it we're just going to take a little bit more work for them to do so tip number 3 and it was mentioned previously in tip 1 is I like to set trusted hosts on my actual admin accounts that way they can only be accessed from a certain device or location for instance my home office has an external IP that never changes whenever I'm configuring my admin account on a local box I make it to where I can only log in from my external IP or from the network's internal IP and that helps keep things relatively secure in that regard someone's not going to be able to hit it from an outside public IP so if you have admin accounts on a box and you're looking to make it so that they can only be logged into from certain subnets or IP addresses it's really easy to do under system administrators you select the account in question and click Edit and you can actually restrict the login to trusted host it's a little dial at the bottom this for 2 gates running 6 4 0 but it's very similar in others and then from there you set up your IP so if it's not 100 100 0 / 24 which is what my internal subnet is here or you know maybe my external IP is you know window 1.1.1 / 32 those are the only subnets that this FortiGate will be able to be logged into it's very good from a perspective of locking things down the trusted host is a sin method to make sure that your accountant at least can't get compromised step four is delete the admin account for de gates come with the default admin account right out the box and since it's a Linux driven operating system in some fashion at least most devices know that it's listening on port 22 or whatever port it finds listening on SSH etc and they try to brute-force the accounts one of the best ways to help protect yourself is to get rid of the account that everybody knows of now an older version of the code you couldn't actually delete the admin account without renaming it so I'm going to show you that process here so we're logged into our FortiGate we have our admin account here and as you can see I actually had to create it real quick specifically to show this but basically you got a config system admin and you go to rename admin to test underscore admin and then from there you can delete test underscore admin and go to end and that gets rid of the admin account that exists on the box by default what deleting the admin account does just to confirm what we mentioned is it makes it less likely for that device to get compromised using default credentials even if you change the password on that account people can brute-force it if you don't have your timeouts and login set properly tip five and it's a tip that's actually a little bit more involved so we'll have a separate video going into detail as to how to accomplish it is enable multi-factor authentication if your FortiGate is going to be accessible from the outside world for administrative purposes you want the tightest security possible multi-factor authentication is basically utilizing something you know your username and password with something you have a token or an SMS request or an email token etc so if you're able to further verify that your you this way even if someone were to compromise your password which is hopefully long and complicated anyways you have that extra added layer of security but like I said that'll be a separate video because it is a little bit more involved if you like videos like this and if they provide value to you please do me a favor hit the like button on the video and then hit the subscribe button and the notify bill the light button helps me out and helps other people find this video to subscribe and notify helps you know when new videos come out for me [Music]
Info
Channel: Fortinet Guru
Views: 11,209
Rating: undefined out of 5
Keywords: fortigate security hardening, harden security, fortigate hardening, admin rename
Id: myZOfLeBx6E
Channel Id: undefined
Length: 9min 38sec (578 seconds)
Published: Mon Jun 01 2020
Related Videos
FortiGate: Application Control (FortiOS 6.4.0)
Fortinet Guru
25K
FortiOS 7 Features I Am Excited About
Fortinet Guru
9.3K
HA FortiGate Redundant ISP Design and Walk Through
Fortinet Guru
8.3K
My FortiGate SDWAN Configuration and Some Use Cases
Fortinet Guru
23K
Is FortiLink a Gimmick
Fortinet Guru
7.5K
Stop Using 3rd Party SSL VPN - Your FortiGate Can Do That!
Fortinet Guru
3K
FortiGate to FortiGate IPSEC Configuration (FortiOS 6.4.0)
Fortinet Guru
26K
White Board Session - Replacing Old ASA With FortiGate 1500D
Fortinet Guru
4.4K
FortiGate: Simple WAN Fail-Over
Fortinet Guru
17K
What Does It Mean to Harden a Device?
CBT Nuggets
1.4K
FortiOS VDOMs - What are they and why do we need them?
Fortinet Guru
15K
FortiGate: Basic Traffic Shaping Of YouTube (FortiOS 6.4.0)
Fortinet Guru
14K
fortigate security profiles best practices
Forti Tip
3.3K
Why Network Segmentation Is So Important - FortiGate DMZ
Fortinet Guru
5.6K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.