FortiGate Grundkonfiguration
Folgende Einstellungen konfiguriere ich per Skript oder CLI bei jeder Auslieferung einer FortiGate Firewall, um eine erste Härtung des Systems vorzunehmen, sowie Einstellungen und Objekte, die ich i.d.R. bei der anschließenden Feinkonfiguration nutze.
Zu den Einstellungen gehört z.B.:
System Settings
- Hostname
- Zeitzone
- Admin Lockout Settings, Admin SCP, Admin UI Port (443->8443), Admin Timeout, Anzeigeeigenschaften und Farbschema
- Anpassung der 2-Faktor Gültigkeitsdauer für SMS/Email Token
- GUI Anzeigeoptionen
- Password-Policy
- Non-Default Admin Account mit Anmeldeeinschränkung auf das interne LAN
- Externen DNS Server IPv4/IPv6 (Google DNS Server)
- Email-Server für Notifications
- SMS Gateway Server für 2-Faktor Authentifizierung (Telekom/Vodafone)
- NTP Sync-Konfiguration für de.pool.ntp.org stündlich
- NTP Server Mode & Listening Interfaces
VPN Einstellungen
- SSL VPN Timeout, URL Obscuration, Änderung SSLVPN Port auf Non-Default (10443->443), Deaktivierung von Auto-Route/Auto-Policy
Firewall Objekte
- Firewall Adressen und Adressgruppen (IPv4/IPv6)
- Firewall Services und Servicegruppen
Benutzer/Gruppen Objekte
- LDAP/AD Connection allgemein
- LDAP/AD Connection für VPN Dial-In (Filter: AD Attribut „msNPAllowDialin=TRUE“)
- Remote Access Gruppe (Filter: LDAP/AD Connection für VPN Dial-In)
- Captive Portal Exemptions (Devices / Security List)
Email Benachrichtigung
- Täglicher Versand von Konfigurationänderungen & Admin-Logins
config system global set hostname <Hostname> set admin-lockout-duration 30 set admin-lockout-threshold 5 set admin-scp enable set admin-sport 8443 set admintimeout 30 set gui-lines-per-page 100 set gui-theme blue set timezone 26 set two-factor-email-expiry 300 set two-factor-sms-expiry 300 end config system settings set default-voip-alg-mode kernel-helper-based set gui-icap enable set gui-dns-database enable set gui-load-balance enable set gui-multicast-policy enable set gui-voip-profile enable set gui-dynamic-profile-display enable set gui-local-in-policy enable set gui-explicit-proxy enable set gui-dynamic-routing enable set gui-dlp enable set gui-sslvpn-personal-bookmarks enable set gui-sslvpn-realms enable set gui-policy-based-ipsec enable set gui-multiple-utm-profiles enable set gui-spamfilter enable set gui-ips enable set gui-endpoint-control-advanced enable set gui-wan-load-balancing enable set gui-waf-profile enable set gui-allow-unnamed-policy enable set gui-multiple-interface-policy enable end config system password-policy set status enable end config system admin edit admin.local set trusthost1 <Local Subnet, Bsp.: 192.168.1.0 255.255.255.0> set accprofile super_admin set vdom root set email-to <Email-Adresse> set password <Password> next end config system dns set primary 8.8.8.8 set secondary 8.8.4.4 set ip6-primary 2001:4860:4860::8888 set ip6-secondary 2001:4860:4860::8844 end config system ntp set ntpsync enable set type custom set syncinterval 60 config ntpserver edit 1 set server de.pool.ntp.org next end set server-mode enable set interface <Interface 1> <Interface 2> <Interface n> end config system sms-server edit T-Mobile-SMS.de set mail-server t-mobile-sms.de next edit Vodafone-SMS.de set mail-server vodafone-sms.de next end config system email-server set reply-to <Reply-Email> set server <SMTP-Hostname> set authenticate enable set username <Username> set password <Password> end config vpn ssl settings set dns-suffix <DNS-Suffix> set dns-server1 <DNS-Server-1> set dns-server2 <DNS-Server-2> set idle-timeout 600 set url-obscuration enable set port 443 set auto-tunnel-policy disable set auto-tunnel-static-route disable end config firewall address edit geo_germany set type geography set color 7 set country DE next edit host_dns_google-public-dns-a.google.com set visibility disable set color 7 set subnet 8.8.8.8 255.255.255.255 next edit host_dns_google-public-dns-b.google.com set visibility disable set color 7 set subnet 8.8.4.4 255.255.255.255 next end config firewall addrgrp edit hosts_dns_google set member host_dns_google-public-dns-a.google.com host_dns_google-public-dns-b.google.com set color 7 next end config firewall address6 edit host_dns_google-public-dns-a.google.com_ip6 set ip6 2001:4860:4860::8888/128 set visibility disable set color 7 next edit host_dns_google-public-dns-b.google.com_ip6 set ip6 2001:4860:4860::8844/128 set visibility disable set color 7 next end config firewall addrgrp6 edit hosts_dns_google_ipv6 set color 7 set member host_dns_google-public-dns-a.google.com_ip6 host_dns_google-public-dns-b.google.com_ip6 next end config firewall service edit HTTPS_8443 set category "Web Access" set tcp-portrange 8443 next edit HTTP_8080 set category "Web Access" set tcp-portrange 8080 next edit TEREDO set category "Tunneling" set comment "RFC 4380 - Teredo: Tunneling IPv6 over UDP through NATs" set udp-portrange 3544 next edit ISCSI set category "Network Services" set tcp-portrange 3260 set udp-portrange 3260 set comment "iSCSI Connection Ports" next edit MARIADB5 set category "VoIP, Messaging & Other Applications" set tcp-portrange 3306 set comment "Maria DB 5 Communication Port" next edit MARIADB10 set category "VoIP, Messaging & Other Applications" set tcp-portrange 3307 set comment "Maria DB 10 Communication Port" next edit NNTPS set tcp-portrange 563 set comment "NNTP over SSL" next edit APPLE_APNS set category "VoIP, Messaging & Other Applications" set comment "Apple Push Notification Service for iOS Devices" set tcp-portrange 443 2195 2196 5223 next end config firewall service group edit "Services Captive Portal Exemption" set member DNS next edit "Services Internet Access Level 0" set member HTTP HTTPS PING next edit "Services Internet Access Level 1" set member HTTP HTTPS PING HTTPS_8443 HTTP_8080 next edit "Services Internet Access Level 2" set member HTTP HTTPS PING FTP HTTPS_8443 HTTP_8080 IKE IMAP IMAPS L2TP POP3 POP3S PPTP RDP SMTP SMTPS SSH TRACEROUTE VNC WINFRAME next edit "Services Internet Access Level 3" set member ALL next end config user ldap edit <Domain-Name> set server <Domain-Controller-1-IP> set secondary-server <Domain-Controller-2-IP> set cnid sAMAccountName set dn DC=<Domain>,DC=<Domain> set type regular set username CN=<Service-Account>,OU=<Organizational Unit>,DC=<Domain>,DC=<Domain> set password <Passwort> next edit <Domain-Name>_DialIn set server <Domain-Controller-1-IP> set secondary-server <Domain-Controller-2-IP> set cnid sAMAccountName set dn DC=<Domain>,DC=<Domain> set type regular set username CN=<Service-Account>,OU=<Organizational Unit>,DC=<Domain>,DC=<Domain> set password <Passwort> set member-attr msNPAllowDialin next end config user group edit vpn-ssl-portal set member <Domain-Name>_DialIn config match set server-name <Domain-Name>_DialIn set group-name TRUE next end end config user device-group edit "Devices Captive Portal Exemption" set comment "Devices with internet access without Captive Portal authentication." next edit "Device Internet Access Level 0" set comment "Devices with allowed Services Internet Access Level 0" next edit "Devices Internet Access Level 1" set comment "Devices with allowed Services Internet Access Level 1" next edit "Devices Internet Access Level 2" set comment "Devices with allowed Services Internet Access Level 2" next edit "Devices Internet Access Level 3" set comment "Devices with allowed Services Internet Access Level 3" next end config user security-exempt-list edit "Captive Portal Exemption List" config rule edit 1 set devices "Devices Captive Portal Exemption" next edit 2 set service "Services Captive Portal Exemption" next end next end config alertemail setting set username <Absender-Email> set mailto1 <Empfänger-Email> set email-interval 1440 set configuration-changes-logs enable set admin-login-logs enable end
Optional: FortiGuard und/oder FortiCloud Logging/Management Anbindung
config system fortiguard set service-account-id <FortiGuard-ID> set auto-join-forticloud enable end config log fortiguard setting set status enable end config log fortiguard filter set severity warning end config system central-management set mode backup set type fortiguard end
Optional: Interface Konfigurationen und Bandbreiteneinstellung.
Im folgenden Beispiel gehen wir von folgenden Annahmen aus:
- Modell: SOHO Fortigate mit WAN1/WAN2/INTERNAL/DMZ Ports (z.B. Fortigate 60er Modelle)
- Anbindung WAN1/WAN2 (Zone WAN): PPPoE (Telekom) / 50MBit/s Upstream / 10MBit/s Downstream
config system zone edit wan set intrazone disable set interface wan1 wan2 next end config system interface edit wan1 set mode pppoe set estimated-upstream-bandwidth 10000 set estimated-downstream-bandwidth 50000 set username <PPPoE-Login-Daten>@t-online.de set password <PPPoE Passwort> set dns-server-override-disable set mtu-override enable set mtu 1492 unset allowaccess next edit wan2 set mode pppoe set estimated-upstream-bandwidth 10000 set estimated-downstream-bandwidth 50000 set username <PPPoE-Login-Daten>@t-online.de set password <PPPoE Passwort> set dns-server-override-disable set mtu-override enable set mtu 1492 unset allowaccess next edit internal set allowaccess ping https ssh capwap set device-identification enable set device-identification-active-scan enable next edit dmz set allowaccess ping set device-identification enable set device-identification-active-scan enable next end
Optional: Wireless Konfiguration & AP Provisioning
config system global set gui-wireless-opensecurity enable end config wireless-controller setting set country DE end config wireless-controller wtp-profile edit <WTP-Profile-Name> config platform set type <AP-Modell> end set ap-country DE config radio-1 set band 802.11n,g-only set vap-all enable end config radio-2 set band 802.11ac set channel-bonding 80MHz set vap-all enable end next end config wireless-controller wtp edit <AP-Serial> set admin enable set wtp-profile <WTP-Profile-Name> set override-allowaccess enable set allowaccess https ssh set override-login-passwd-change enable set login-passwd-change default next end
Im Anschluss erfolgt die Fein-Konfiguration nach Anforderung.