Friday, July 6, 2012

Securing down your FortiGate UTM appliance

 

Securing it for a Static IP

If you have a Static IP or group of Static IP’s that you use to connect remotely to your Fortinet device, there is an easy way to map external services, secure it down to a group of subnets and allow only a few IP’s to remotely manage the firewall from the Internet.  There are other ways, this is my favorite with the most amount of control and logging available for the remote connections.  Let’s get started.

Scenario (My Setup)

  • WAN IP = Dynamic (wan)
  • LAN IP = 10.11.3.254 (InternalSwitch)
  • Internal Management Port (HTTPS) = 443
  • Internal Management Port (SSH) = 22
  • Trusted External Subnets =
    • 12.166.20.0/23
    • utm.doesntexist.com (DynDNS)

 

Let’s get started with a Dynamic or Static IP

  • Log into firewall
  • Create a new VIP for HTTPS Access
    • image

      config firewall vip

      		 Enter into VIP
      edit External_HTTPS_T11443_w1 Name 1st VIP (I uses _w1 because you could create multiple for multiple WAN connections)
      set extintf wan Set External Interface
      set mappedip 10.11.3.254 Set Internal IP
      set portforward en Enable PAT
      set extport 11443 This is your External Port to Access GUI (I suggest not using 443)
      set mappedport 443 This is the Internal Mgmt Port (443 is default)
      next Next to start SSH entry, end to not setup ssh
  • Create a new VIP for SSH Access

image

edit External_SSH_T11022_w1 Name this VIP, using _w1 to separate multiple WAN connections
set extintf wan Set External Interface
set mappedip 10.11.3.254 Set Internal IP
set portforward en Enable PAT
set extport 11022 This is your External Port to Access GUI (I suggest not using 22)
set mappedport 22 This is the Internal Mgmt Port (22 is default)
end end to save
  • Create a VIP Group

image

config firewall vipgrp Enter VIP Group Entry
edit ExternalManagement_w1 Create a group for the External Management using _w1 to define the one for WAN1
set interface wan Set the Group’s interface (wan) in this scenario
set member “External_HTTPS_11443_w1” “External_SSH_T11022_w1” Add the two members to the group
  • Create address object for trusted IP

image

config firewall address Enter Address Creation
edit “TrustedSubnet_1” Call this what you want, but you are creating a name for this trusted IP
set subnet 12.166.20.0/23 Add the trusted subnet
next or end Next or end to create more
  • Create address object for trusted FQDN

image

config firewall address Enter Address Creation
edit “Trusted_FQDN_1” Call this what you want, this is a trusted FQDN example
set type fqdn Setup a type FQDN
set fqdn “utm.doesntexist.com” Add your trusted FQDN
  • Create address group object

image

config firewall addrgrp Enter Address Group Creation
edit “Trusted_Remote_w1” Create a group name for Trusted addresses on w1
set member “TrustedSubnet_1” “Trusted_FQDN_1” Add members to the Group
end End to save
  • Create new ExternalAdmin account

image

config system admin Enter Address Group Creation
edit ExternalAdmin Create your ExternalAdmin Account
set accprofile super_admin super_admin is a full rights admin, but I suggest creating a restricted user for External Access
set password SecurePassword Change SecurePassword with a secure password
End Save and create new Account
  • Lockdown admin to local subnet only

image

config system admin Enter Address Group Creation
edit ExternalAdmin Create your ExternalAdmin Account
set accprofile super_admin super_admin is a full rights admin, but I suggest creating a restricted user for External Access
set password SecurePassword Change SecurePassword with a secure password
End Save and create new Account

 

  • Create firewall policy
    image

    • config firewall policy

    		 Enter Firewall Policy Creation
    edit 0 “edit 0” creates a new entry after the biggest number.
    set srcintf wan set the Source Interface (wan) in this instance, probably a port or wan1/2 for you
    set dstintf InternalSwitch set Destionation Interface (InternalSwitch).  Likely a port or internal for you.
    set srcaddr “Trusted_Remote_w1” Set your Source Address.  This is the group you created in previous steps
    set dstaddr “ExternalManagement_w1” Set your Destination Address.  This is your VIP Group you created earlier
    set action accept Accept the traffic
    set service “HTTPS” “SSH” Set the two services you need.  These are the “internal” services and not the external.  If you management port is not standard you may need to create a service object for this.
    set logtraffic enable Enable logging for your sanity.
    end  
 

This will in effect do the following:

  1. Allow the default “admin” to only login from inside the network
  2. Create a new user for ExternalAdmin of the firewall
  3. Create 2 VIP’s to allow inbound mapping for alternative ports to the inside management ports
  4. Allow you to ping the firewall from anywhere
  5. Trust just a few IP/FQDN’s for remote management
  6. Log traffic accessing the VIP
  7. Apply inbound UTM if you wanted, not in this tutorial though

To use this you will want to either:

  1. To use web-management, use the IP of the External Interface to use
    1. https://externalIP:11443
      1. Use DynamicDNS to “find easier”
    2. Putty via externalIP:11022
  2. Login with ExternalAdmin and password

Hope this helps you create a secure access method to your firewall. 

 

Enjoy!

Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)