Security

FortiGate is Fortinet's advanced firewall (security gateway), referred to as the Next Generation Firewall (NGFW). There are a number of models that are either physical (hardware appliance) or virtual (for different hypervisors - VMware vSphere, Microsoft Hyper-V, Citrix XenServer, OpenXEN, KVM). Here we are focusing on the virtual version, but it doesn't matter too much because all FortiGates are running the same FortiOS operating system. This article describes how to get the virtual version of the Fortinet FortiGate VM00 up and running. The following is a brief description of the main operations, settings and creation of communication rules. Various advanced features are briefly mentioned at the end.

Contactless chips, whether in the form of a card or key fob, and now also as part of mobile phones, have been very popular for many years. Their applications are wide-ranging, one of the essential areas being access control systems, i.e. simply opening doors. At first glance everything looks simple, but behind the scenes there are many different technologies, different standards and different manufacturers. I have tried to put together the basic information, but many details are hard to trace.

FortiAnalyzer is a centralized logging tool, primarily for FortiGate, but also supports other Fortinet devices. It allows you to collect logs from multiple devices (and group or split them), perform analysis on them and generate reports. The focus is on security and providing insight into threats. It has broader capabilities than logging locally on FortiGate and most importantly supports much longer data history. It can be a HW appliance or a virtual machine.

The firewall at the perimeter of the network is our central point for access to the Internet and other networks. We certainly don't want it to be a Single Point of Failure, so we need to address redundancy and preferably a cluster to ensure High Availability. The cluster solves for us a unified configuration and switching of units in case of failure (not only devices, but also lines). When we have purchased two devices, we may want to make the best use of them. Virtual Domains (VDOMs) can be useful for some situations. These allow us to divide FortiGate into several parts that work independently. Thus, to create several virtual firewalls from one device (or cluster).

FortiGate supports different types of users and user groups. Users can authenticate not only locally, but also to external servers. Authentication against an LDAP server is useful, so we can use users in a Microsoft domain (Active Directory Domain Services). We can use users and groups in security policies or if we are creating a VPN connection. Even FortiGate unit administrators can log in with a domain account.

The article deals with the basic configuration (installation and upgrade) of the physical appliance Next Generation Firewall Fortinet Fortigate. It describes the possible modes of operation (operational mode, inspection mode and NGFW mode). It discusses the physical and virtual network interfaces. Mentions the basics of using the command line interface (CLI). Finally, the ability to automatically back up the configuration.

Connecting a company to the internet is nowadays essential and is usually required to be fail-safe (within reason). We can use one ISP that solves high availability (redundancy) by its own means (e.g. by bringing two independent fiber optic routes). Or have two (or more) different ISPs, then we have to deal with line usage and possible switching ourselves. We may also have two lines to the internet and want to manually split the traffic. FortiGate has several options to deal with these situations. Most of our focus is on SD-WAN. Quite important is the question whether we only deal with Internet access or also publish some services on public IP addresses.

The basic feature of the Firewall is network traffic control. This is done by defining security policies. In this article, we look at the basic properties of policies. Next, we will discuss Network Address Translation (NAT) options. First, translation of the source address for client communication to the Internet. Then also the translation of the destination address for server publishing. This is also related to Server Load Balancing. Let's describe the basic objects for policies such as services and addresses. Finally, there is a brief mention of traffic troubleshooting capabilities.

I am gradually adding to the article and also testing various things on newer versions. So it's not just FortiOS 6.2.3, but 6.2.x and 6.4.x in general. We deployed FortiGate Firewalls a few months ago, and I've been dealing with a number of issues ever since. I think many of them are not due to my ignorance or configuration error, but a bug in FortiOS itself. I even contacted Fortinet Support with one thing and will share my bad experience here. I decided to write down the issues I can recall, and for the biggest one, describe the steps I took to determine the cause of the problem.

It is generally not recommended to use any form of address translation (NAT) for IPv6. It would be better to use, for example, Dual Stack and have IPv6 addresses on the Front End servers along with IPv4. But there may be situations where we need to make an existing service available over IPv6 in the simplest way possible. We have NAT64, where we publish an address to the IPv6 network that we translate to an existing internal IPv4 address. No change is needed on the servers. Unfortunately NAT64 Policy on FortiGate has a number of limitations, mainly it does not support any Security Profiles.

The article builds on the previous descriptions of user authentication and adds authentication against an external RADIUS server. We can also use it for users in the Microsoft domain (Active Directory Domain Services), for example for authentication to SSL VPN. Let's take a brief look at the Network Policy Server (NPS) configuration. Mainly on the way to transfer information about the user's inclusion in the group.

On FortiGate, we can use the Fortinet Single Sign-On (FSSO) technique, which Fortinet refers to as an authentication protocol for transparent user authentication. With it, it associates the IP address with the name of the user who logged in from it. In communication where the source IP address is used, we can use users and groups instead of IP addresses. FSSO has a number of different options and uses. However, here we will focus on linking to an Active Directory domain and using it only to identify users in folds.

FortiClient Endpoint Management Server (FortiClient EMS) is used to centrally manage endpoints. It uses a FortiClient agent on the hosts to configure and retrieve information. According to the license, we have remote access features, now called Zero Trust Network Access (ZTNA). Or also Advanced Threat Protection (ATP), where there is Antivirus, Firewall and more. Here we will take a brief look at EMS management and the use of a basic license (we will not cover the true ZTNA principle and use).

DNSSEC is used to secure DNS records from spoofing by using a digital signature and chain of trust. When we use DNSSEC on a domain (DNS zone), we sign all DNS source records. This allows DNS Resolver to check that the record is from its owner and has not been modified. This article attempts to (briefly) describe the principle of DNSSEC and related technologies.

DNSSEC is used to secure DNS records from being spoofed. On Windows Server, we can install the DNS Server role and run an Authoritative Name Server, which manages a specific domain (zone), or a Recursive Name Server, which is used to look up the answer to a client's DNS query. In both cases, DNSSEC is supported. In this article, we will describe how DNSSEC is used on Microsoft DNS Server. We will focus on public domain signing on the Internet, but we will also mention other uses.

We will describe the behavior and possible configurations of a somewhat specific situation. If a device on the LAN (behind the FortiGate) accesses another device on the same or adjacent network (connected to the FortiGate) through an external IP address (network). Destination (Destination) and possibly source (Source) address translation (NAT - Network Address Translation) is used. This situation is referred to as NAT Hairpinning, Hairpin NAT, NAT loopback or NAT reflection. What matters is when and how FortiOS uses Source NAT.

Cybersecurity is increasingly important in today's digital age. It doesn't matter whether we use a work (in a corporate environment) or a private (at home) account. Attacks aim to gain access to our accounts. We will briefly summarize three current areas. One of the most common threats is Phishing, which tries to lure sensitive data, bypass security and gain unauthorized access to our accounts. A major danger is malicious code known as Infostealer, which steals information from your computer. As a first step, it is important to use secure login methods (MFA).