Upload
wasted11
View
10
Download
0
Tags:
Embed Size (px)
DESCRIPTION
TSOP14-001 - Fortigate Setup
Citation preview
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
TSOP13-010: Fortigate Setup
Revision Date: April 20, 2014
Purpose
This document will outline a procedure to complete a Next Digital standard basic Fortigate configuration.
Requirements An approved Fortigate or Fortiwifi device is required to complete the setup. A network cable and web browser and Internet access is required for device configuration and updates.
Procedure
Initial Setup
1. Update Firmware
2. Set Hostname and Time Zone
3. Set switch/interface
4. Configure LAN Switch Interface
5. Configure WAN Switch Interface
FortiGuard Configuration
Set admin listening port to 9443
Create Firewall Objects
1. Create Next Digital Address and Group
2. Create RDP Management VIP
3. Create VIPs for Exchange (http, https, smtp)
Setup Security Profiles
1. Setup antivirus profile
2. Setup webfilter
3. Setup application control
4. Setup intrusion protection
5. Setup email filter
Setup Firewall Policies
1. Configure Internal to WAN Policies
2. Configure WAN to Internal Policies
Finalize Fortigate Configuration
1. Change admin accounts and passwords
2. Backup the configuration
Responsibilities All technicians are responsible for ensuring admin access and a proper backup of the device is
completed. All steps in the current procedure must be followed unless specified otherwise by an Technical Account Manager
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Appendix
Initial Setup 1. Download the latest versions of FortiExplorer, and the Firmware version (Current Supported version is
5.0.5) for the appropriate FortiGate/FortiWifi device from support.fortinet.com
2. Install FortiExplorer
3. Launch FortiExplorer
4. Connect your computer to the FortiGate/FortiWifi using the supplied USB cable
5. Power on FortiGate/FortiWifi. You should see the device in the FortiExplorer Window
6. Click on the Upload button beside Uploaded Firmware
7. Choose the Firmware you downloaded and select open.
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
8. Select Install, and confirm upgrade by clicking yes on the Update Firmware pop up window.
FortiExplorer will display the progress, watch for Errors. The FortiGate/FortiWifi will reboot once the upload has completed.
After the update completes. Review the Current Firmware Version.
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
9. Next we are going to do a factory reset to clean up the existing configuration (Fortinet Best Practice
ONLY ON NEW CONFIG)
Navigate to the CLI in FortiExplorer. Log in as admin and type execute factoryreset it will ask you want to continue. Select y The system will reboot.
Dashboard 1. Log into the Web-Based Manager in FortiExplorer (CLI options will be added underneath GUI for those
who prefer it.)
Username: admin Password: (no password)
2. After you log in. Click change beside the host name to change the name to something more
descriptive.
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Next Click Change under the system time to update the System time details (Time one, NTP, Etc...)
3. Change the Time Zone to the correct location, and set to Synchronize with NTP server. (You can
choose to use the FortiGuard Servers, or choose your own. e.g. ca.pool.ntp.org, pool.ntp.org, etc.
(Fortiguard Servers are recommended)
Network The next steps will involve changing the interface mode from Switch to Interface, and creating a software Switch. This configuration will allow greater scalability in the future if required.
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
1. Navigate to Policy > Policy click on the internal wan1 policy and select delete
This policy need to be removed in order to change the interface mode.
2. Navigate to System > Network > Interfaces. Right click on Internal and select Change Mode.
3. You will prompted with the following window. Choose interface Mode and select OK. The
FortiGate/FortiWifi unit will restart.
After the system restarts log back in via the Web-Based Manager in FortiExplorer. Navigate to Network > Interfaces. You will notice that every port on the FortiGate/FortiWifi is now displayed. We will now create a software Switch called Switch.
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
4. Setup an internal LAN switch interface.
In Network > Interfaces select Create New and you will be redirected to a new window with the
following options. Once configured select OK.
Name Interface name (e.g. Switch, Internal Switch, etc. Make sure it makes sense.) Type Software Switch (Other options are VLAN, Loopback Interface, and Wi-Fi SSID. These options will not be explored in this document) Physical Interface Members Physical Interface you want as part of the switch. Always choose Internal1, or port1 depending on the model of FortiGate/FortiWifi you are working on. Addressing mode Always set to a manual IP. Set the IP address of the internal network. (e.g. 192.168.1.1/24, or 192.168.1.1/255.255.255.0) Administrative Access Set internal administrative access to HTTP, PING, HTTPS, CAPWAP, and SSH. If the client will be using a FortiManager you can select FMG-Access as well. DHCP Server If the FortiGate will be serving as your DHCP server you will need to enable DHCP. DHCP will be covered in a later section.
5. Next step you will need to configure your WAN settings. Click on the Wan1 Interface in Network > interfaces and select edit.
6. If your ISP utilizes DHCP, configure the following.
Alias Name to describe the Interface. This is not required, but recommended. Standard is to use the ISP name. (e.g. Telus, Shaw, Wi-Band, etc...) Addressing mode DHCP Administrative Access Set external administrative access to HTTPS, and PING
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Distance Leave Default of 5 Retrieve default gateway from server Make sure this is checked Override internal DNS Check this box as well.
7. If your ISP utilizes Static IP addressing, configure your WAN with the following settings.
Alias Name to describe the Interface. This is not required, but recommended. Standard is to use the ISP name. (e.g. Telus, Shaw, Wi-Band, etc...) Addressing mode Manual IP/Network Mask Set the IP address provided from the ISP (e.g. 75.156.148.223/22, or 75.156.148.223/255.255.252.0) Administrative Access Set external administrative access to HTTPS, and PING
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
8. If you are using a static address from your ISP you will need to configure a static route. The static route
described here is the Default Gateway for the ISP. To set this you will navigate to Network > Routing.
Select Create New
9. On the New Static Route window, enter the following detail and select OK
Destination IP/Mask Leave this as 0.0.0.0/0.0.0.0 Device Choose your WAN interface Gateway Enter the Gateway IP provided by your ISP
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
10. Next you will need to enter your System DNS information. Navigate to Network > DNS If the
organization has a domain and DNS server(s). You need to set these setting to their DNS servers, and
domain name. If they do not have a domain, you can have it use FortiGuard Server, or you can specify
the ISPs DNS leaving the Local Domain Name. Primary DNS IP of the Primary DNS server (Normally the Primary Domain Controller) Secondary DNS IP of the Secondary DNS server (If there is not a second DNS server onsite Leave this field Blank) Local Domain Name FQDN of the internal domain (e.g. abcd.internal)
Config The first item to configure in the config section is the FortiGuard Service. The FortiGuard service provides AV, IPS, Web, and Email filtering without this service or if the service expires; all filtering will be disabled. We will also install some additional features to the GUI
1. Navigate to Config > FortiGuard. Expand AV & IPS Download Options, and Web Filtering and Email
filtering options. Choose the following options.
Allow Push Update
Schedule Update Daily 1 hour
Submit attack characteristics
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Enable webfilter cache Change TTL to 500
Enable antispam cache change TTL to 500
2. Navigate to Config > Features. Scroll to the bottom and select Show More. The list will expand.
Scroll down until you see multiple Security Profiles and click the off button to turn on (Sounds weird
doesnt it, but you will see in the following images.) Then click apply.
Admin This is the shortest section. Here we will be changing the listening port for HTTPS
1. Navigate to Admin > Settings change the HTTPS port to 9443 (ND Standard). You can also change the
Idle Timeout, but remember 480 minutes can have security implications. (although I change it to 480)
Then click apply.
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Firewall Objects
Address As you can see we have skipped over the Policy Tab. This is intentional as we will need to utilize settings from Firewall objects, and Security Profiles in our Policies. The first step is going to be creating addresses for the Next Digital network. We need to specify these addresses to use for restricting access to specific internal resources (e.g. Management servers, or VMWare host via the VIC) to just Next Digital.
1. Navigate to Address > Addresses and select create new. This will open a New Address page. We will
need to enter 3 different addresses for ND. After each entry make sure to click OK
ND_Edmonton IP Range 96.53.105.50-96.53.105.51
ND_Calgary
ND_Datacenter IP 209.90.171.71
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
2. Next we will want to create a Group for the ND addresses. Navigate to Address > Group. Create New.
Specify a new group name. (e.g. ND_Address_Group, or Next_Digital, etc...), and add the addresses to
the Group as shown in the image below, Select OK to close
VIPS The next option in Firewall objects is the VIPs or Virtual IPs. VIPs are used for creating static NAT, and static NAT with port forwarding. The following configuration will only demonstrate static NAT with port forwarding. The only time you would configure a static NAT would be if you had Multiple servers, and Multiple IPs. The amount of VIPS required will also change based on servers/services running at a particular client. This configuration we will assume we will only require a VIP to connect to a management server (via RDP) and an Exchange server for mail (SMTP only)
3. Navigate to Virtual IPs > Virtual IPs. Select Create new. Once the Add New Virtual IP Mapping
window opens we will create the RDP VIP first followed by the 3 VIPS required for Exchange.
RDP to the Management server
Name the VIP (e.g Management_RDP)
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
External Interface is the incoming interface (e.g. Wan1, DMZ, etc.)
Enter External IP Address/Range 75.156.148.223 - 75.156.148.223
Enter Internal IP address/Range 192.168.1.9 192.168.1.9
Select Port forwarding Check box
Protocol should be TCP
External Service Port 3399 3399 (external ports may vary)
Map to Port 3389 3389
SMTP, HTTP, and HTTPS to Exchange
Name the VIP (e.g Exchange_SMTP)
External Interface is the incoming interface (e.g. Wan1, DMZ, etc.)
Enter External IP Address/Range 75.156.148.223 - 75.156.148.223
Enter Internal IP address/Range 192.168.1.12 192.168.1.12
Select Port forwarding Check box
Protocol should be TCP
External Service Port 25 25
Map to Port 25 25
Name the VIP (e.g Exchange_HTTP)
External Interface is the incoming interface (e.g. Wan1, DMZ, etc.)
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Enter External IP Address/Range 75.156.148.223 - 75.156.148.223
Enter Internal IP address/Range 192.168.1.12 192.168.1.12
Select Port forwarding Check box
Protocol should be TCP
External Service Port 80 80
Map to Port 80 80
Name the VIP (e.g Exchange_HTTPS)
External Interface is the incoming interface (e.g. Wan1, DMZ, etc.)
Enter External IP Address/Range 75.156.148.223 - 75.156.148.223
Enter Internal IP address/Range 192.168.1.12 192.168.1.12
Select Port forwarding Check box
Protocol should be TCP
External Service Port 443 - 443
Map to Port 443 443
4. After you have created the VIPs we will create a new VIP group for Exchange. Navigate to Virtual IPs >
VIP Groups and select create new. When the New VIP Group window opens pick a name for the group
(e.g. Exchange_VIP_Group) and select the 3 Exchange VIPs created earlier to be members of this
group. Select OK when complete.
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Security Profiles
AntiVirus Now that we have setup all that networking mumbo jumbo, lets get into the good stuff. The first setting displayed in the GUI is the Anti-Virus profile. When we apply this profile to a policy it will scan Websites (Http only), Email, Files via FTP, and IM. In addition, it will block connection to KNOWN botnet servers, and there is a sandbox option, but we will not get in to that in this document. Here we go.
1. First Step here is to create a new Profile. Please leave the default policies as is. Navigate to AntiVirus >
Profiles and select the + symbol in the top right corner. It will launch a New AntiVirus Profile page.
AntiVirus Profile
Assign a name for the Profile. The most common name would be the name of the company and
the UTM function. (e.g. NDEDM_AV_Profile)
Inspection Mode is Proxy
Select Block Connections to Botnet Servers
Select all of the Virus Scan and Removal checkboxes (The client may not have POP3. IMAP,
etc.., but we still want to scan the inbound GMAIL, Telus Webmail, etc...)
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Web Filter The Web Filter is the service that allows, blocks, and monitors websites. One item that needs to be understood is that there is not a local categories DB although you can create your own local filter. We will do a generic exception as an example.
1. Navigate to Web Filter > Profiles and select the + symbol in the top right corner. It will launch a New
Web Filter Profile page.
Web Filter Profile
Assign name for new Web Filter Profile following the same format as the AV profile. (e.g.
NDEDM_WEB_Profile)
Inspection Mode is proxy
Select Fortiguard Categories (If you do not have a valid Service Agreement leave this
unchecked) There are multiple categories that we will need to select. We will select the most
common selections. Expand the appropriate category and select the following selections (Use
the ctrl key for multiple Selections)
o Potentially Liable
Hacking Illegal or Unethical Proxy Avoidance
o Expand Adult/Mature Content and se
Nudity and Risque Pornography
o Bandwidth Consuming
Peer-to-peer File Sharing o Security Risk
Malicious Websites Phishing Spam URLs
o Now that you have made your selections right click on one of your selections and select
block.
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Select Enable Safe Search
o Select Search Engine Safe Search Google, Yahoo!, Bing, Yandex
Select Scan Encrypted Connections Leave Exempted Categories checked
Select HTTP POST action Set to comfort
Then Select Apply.
To create a local exception, block, monitor, etc. you can select the Enable Web Site Filter on
the current Web Filter Profile. It will provide an option to create new filter. Click on create
new. If we had set streaming audio/video to be blocked, but wanted to allow YouTube then
this is how we do that.
o In the URL field type youtube.com
o Type is simple (You can use expressions, and wildcards as well, but it is not required
for this example)
o Action is exempt (You can block, allow, and monitor here as well. Using allow does
not unblock the site. It is related to overrides. We will not be getting into overrides in
this document)
o Status is enable (This just Enable, or disables the current URL you are entering.
o Select Apply.
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Application Control Application control allows us to Monitor, Block, Reset, and Traffic Shape specific applications. In this document we will only be setting up monitoring to assist us with troubleshooting performance issues. DO NOT CONFIGURE BLOCKING, RESET, or TRAFFIC SHAPING WITHOUT APPROVAL FROM the TAM, DIRECTOR, or PARTNERS
1. Navigate to Application Control > Application Sensors and select the + symbol in the top right corner. It
will launch a New Application Sensor page.
Application Control Sensor
Assign name for new Application Control Sensor following the same format as the AV
profile. (e.g. NDEDM_APP_Sensor)
o Select Allow and Log DNS Traffic
Select OK
You will now be able to edit the sensor. Lets add a monitor to the sensor.
Select Create new, this will launch a new Application Filter
This list can be daunting, but for the purpose of this document it will be easy.
Leave all the defaults and click OK and the bottom of the page
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Then Select Apply. You have now created a basic Application sensor to monitor application
traffic
Intrusion Protection Intrusion Protection (IPS) is used to prevent critical attacks on your network. The default settings for IPS still allows some critical vulnerabilities to get through. We are going to setup a sensor to block all critical, and high, and signature defaults for all medium, low, and informational Vulnerabilities.
1. Navigate to Intrusion Protection > IPS sensors and select the + symbol in the top right corner. It will
launch a New IPS Sensor page.
IPS Sensor
Assign name for new IPS Sensor following the same format as the AV profile. (e.g.
NDEDM_IPS_Sensor)
Select OK
You will now be able to edit the sensor. Lets add the Critical, and High blocks to the sensor.
Select Create new, this will launch a new IPS Filter
Under the Severity window - We are going to uncheck the medium, low, and info check
boxes
Scroll to the bottom of the page and select Block All
Then click OK
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
We can now set the signature defaults for the medium, low, and info to the sensor.
Select Create new, this will launch a new IPS Filter
Under the Severity window - We are going to uncheck the critical, and high check boxes
Scroll to the bottom of the page and select Signature defaults
Then click OK
Your new sensor should look like the next image. If it does click Apply.
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Email Filter The Email filter allows us to check inbound email for known SPAM, MALWARE, and PHISHING URL sent to email servers. In our configuration we are using an Exchange server and this is going to require us to configure the profile for SMTP (Some exchange servers are set to use POP3, but the most common protocol used is SMTP). If you do have any other mail server onsite other than Exchange you can also setup IMAP, and POP3. However this does not apply to this document.
Email Lists
1. Navigate to Email Filter > Email Lists and select the Create New in the left corner. It will launch a New
List page. We are going to create an empty BWL list that is required under the profile.
Assign name for new List following the same format as the AV profile. (e.g.
NDEDM_BWL_list)
Select OK
Select OK again
Email Profiles
2. Navigate to Email Filter > Profiles and select the + symbol in the top right corner. It will launch a New Email Filter Profile page (If you experience any inbound mail delivery issues. Please discuss with
a TAM before changing any of these Settings)
Assign name for new list following the same format as the AV profile. (e.g.
NDEDM_MAIL_Profile)
Select Enable Spam Detection and Filtering
UNCHECK IMAP, and POP3
SMTP setting are as follows
o Spam Action : Discard
Fortiguard Spam Filtering
o E-mail Checksum
o URL Check
o Spam Submission
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
o Detect Phishing URLs in Email
Local Spam Filtering
o Return E-mail DNS Check
o BWL Check
Select previously created Email List
Select OK
Policy
Policies So now that all the hard work is done. We need to put everything we just did to use. Policies are what we use to allow traffic between other networks, and what services (FTP, SMTP, HTTP, VPN, etc) are allowed to go between them. This paragraph could go on forever, but I think you get the idea and hopefully after creating a few of them it will make more sense.
Internal to WAN
1. The first policy we are going to create is the easiest one. Its primary function is to give access from the
internal network to the Internet. You will see other policies that use User Identity these are set on a
client by client basis. Do not set up a User Identity policy without talking to a TAM. Navigate to Policy >
Policy and select Create New.
Policy Type: Firewall
Policy Subtype: Address
Incoming Interface: Switch (or whatever you had named the soft switch) DO NOT EVER
SELECT ALL for INCOMING INTERFACE
Source Address: All
Outgoing Interface: wan1 (Which ever interface you have your internet on) DO NOT EVER
SELECT ALL for OUTGOING INTERFACE
Destination Address: All
Schedule: Always
Service: ALL
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Action: Accept
Select Enable NAT (If you do not know what NAT is look it up)
Logging Options: Log Security Events
Security Profiles (This is where all your hard work comes in)
o Turn on the Following (Remember this is traffic going from Internal to External)
Web Filter: Choose your Webfilter (NDEDM_WEB_Profile) Application Control: Choose your Application Control (NDEDM_APP_Sensor) Proxy Options: Leave as default
Select OK
WAN to Internal
2. As previously mentioned in the VIPS section. We will be configuring this FortiGate assuming we have
an Exchange Server, and a Management server. To be able to allow email to be allowed to
communicate with the Exchange server we have to allow SMTP traffic from the WAN to the internal
network. We also need to allow HTTPS, and HTTP for Webmail and RDP for access to the
Management server. We are going to accomplish this by creating two policies. We will do the Exchange
access first, followed by the management server. You should already be in the Policy Section. Go
ahead and click Create New.
Policy Type: Firewall
Policy Subtype: Address
Incoming Interface: wan1 (Rule still applies no ALL)
Source Address: All
Outgoing Interface: Switch (Rule still applies no ALL)
Destination Address: Exchange_VIP_Group (Whatever you called your VIP group, or you
can add each of the exchange VIPs)
Schedule: Always
Service: SMTP, HTTP, and HTTPS
Action: Accept
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
DO NOT ENABLE NAT
Logging Options: Log Security Events
Security Profiles
o Turn on the following
AntiVirus: Choose your AntiVirus Profile (NDEDM_AV_Profile) Application Control: Choose your Application Control Sensor
(NDEDM_APP_Sensor)
IPS: Choose your IPS Sensor (NDEDM_IPS_Sensor) Email Filter: Choose your Email Filter (NDEDM_EMAIL_Profile) Proxy Options: Leave as Default Select OK
3. Now we will create the policy to allow Next Digital to connect to the Management server. This policy
should be locked down to only allow access from Next Digital locations.
Policy Type: Firewall
Policy Subtype: Address
Incoming Interface: wan1 (Rule still applies no ALL)
Source Address: ND_Address_Group (Whatever you called your VIP group, or you can add
each of the ND VIPs)
Outgoing Interface: Switch (Rule still applies no ALL)
Destination Address: Management_RDP
Schedule: Always
Service: RDP
Action: Accept
DO NOT ENABLE NAT
Logging Options: Log Security Events
Security Profiles
o Turn on the following
AntiVirus: Choose your AntiVirus Profile (NDEDM_AV_Profile)
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
Application Control: Choose your Application Control Sensor (NDEDM_APP_Sensor)
IPS: Choose your IPS Sensor (NDEDM_IPS_Sensor) Proxy Options: Leave as Default Select OK
System
Finalize Config The next couple of steps are the some of the the most important, and often overlooked. We need to change the password for the admin account, create an ND_Admin account, and save the config.
Admin Accounts
1. Navigate to System > Administrators
Highlight the admin entry and select Edit
Select Change Password
o Enter the Old password
o New Password
o Confirm New Password
Select OK
Select OK again
2. The Fortigate will log you out. Log back in and navigate to System > Administrators
Select Create New
o Administrator: ND_Admin (Case Sensitive)
o Type: Regular
o Password: ND default password
o Confirm Password: Self Explanatory
Technical Standard Operating Procedure
TSOP13-010 Internal Use Only Controlled Document v1.0
o Admin Profile: super_admin
Click OK
Backup Config
1. Navigate to System > Status
Select Backup in the System Information Window
Select Backup in the pop up window
Congratulations!!! You have just completed a basic FortiGate config.