blog.andreas-schreiner.de

Wissen ist Macht. Nichts wissen macht nichts.

FortiGate Grundkonfiguration

von · Veröffentlicht · Aktualisiert

Folgende Einstellungen konfiguriere ich per Skript oder CLI bei jeder Auslieferung einer FortiGate Firewall, um eine erste Härtung des Systems vorzunehmen, sowie Einstellungen und Objekte, die ich i.d.R. bei der anschließenden Feinkonfiguration nutze.

Zu den Einstellungen gehört z.B.:

System Settings

  • Hostname
  • Zeitzone
  • Admin Lockout Settings, Admin SCP, Admin UI Port (443->8443), Admin Timeout, Anzeigeeigenschaften und Farbschema
  • Anpassung der 2-Faktor Gültigkeitsdauer für SMS/Email Token
  • GUI Anzeigeoptionen
  • Password-Policy
  • Non-Default Admin Account mit Anmeldeeinschränkung auf das interne LAN
  • Externen DNS Server IPv4/IPv6 (Google DNS Server)
  • Email-Server für Notifications
  • SMS Gateway Server für 2-Faktor Authentifizierung (Telekom/Vodafone)
  • NTP Sync-Konfiguration für de.pool.ntp.org stündlich
  • NTP Server Mode & Listening Interfaces

VPN Einstellungen

  • SSL VPN Timeout, URL Obscuration, Änderung SSLVPN Port auf Non-Default (10443->443), Deaktivierung von Auto-Route/Auto-Policy

Firewall Objekte

  • Firewall Adressen und Adressgruppen (IPv4/IPv6)
  • Firewall Services und Servicegruppen

Benutzer/Gruppen Objekte

  • LDAP/AD Connection allgemein
  • LDAP/AD Connection für VPN Dial-In (Filter: AD Attribut „msNPAllowDialin=TRUE“)
  • Remote Access Gruppe (Filter: LDAP/AD Connection für VPN Dial-In)
  • Captive Portal Exemptions (Devices / Security List)

Email Benachrichtigung

  • Täglicher Versand von Konfigurationänderungen & Admin-Logins
config system global
   set hostname <Hostname>
   set admin-lockout-duration 30
   set admin-lockout-threshold 5
   set admin-scp enable
   set admin-sport 8443
   set admintimeout 30
   set gui-lines-per-page 100
   set gui-theme blue
   set timezone 26
   set two-factor-email-expiry 300
   set two-factor-sms-expiry 300
end
config system settings
   set default-voip-alg-mode kernel-helper-based
   set gui-icap enable
   set gui-dns-database enable
   set gui-load-balance enable
   set gui-multicast-policy enable
   set gui-voip-profile enable
   set gui-dynamic-profile-display enable
   set gui-local-in-policy enable
   set gui-explicit-proxy enable
   set gui-dynamic-routing enable
   set gui-dlp enable
   set gui-sslvpn-personal-bookmarks enable
   set gui-sslvpn-realms enable
   set gui-policy-based-ipsec enable
   set gui-multiple-utm-profiles enable
   set gui-spamfilter enable
   set gui-ips enable
   set gui-endpoint-control-advanced enable
   set gui-wan-load-balancing enable
   set gui-waf-profile enable
   set gui-allow-unnamed-policy enable
   set gui-multiple-interface-policy enable
end
config system password-policy
   set status enable
end
config system admin
   edit admin.local
      set trusthost1 <Local Subnet, Bsp.: 192.168.1.0 255.255.255.0>
      set accprofile super_admin
      set vdom root
      set email-to <Email-Adresse>
      set password <Password>
   next
end
config system dns
   set primary 8.8.8.8
   set secondary 8.8.4.4
   set ip6-primary 2001:4860:4860::8888
   set ip6-secondary 2001:4860:4860::8844
end
config system ntp
   set ntpsync enable
   set type custom
   set syncinterval 60
   config ntpserver
      edit 1
         set server de.pool.ntp.org
      next
   end
   set server-mode enable
   set interface <Interface 1> <Interface 2> <Interface n>
end
config system sms-server
   edit T-Mobile-SMS.de
      set mail-server t-mobile-sms.de
   next
   edit Vodafone-SMS.de
      set mail-server vodafone-sms.de
   next
end
config system email-server
   set reply-to <Reply-Email>
   set server <SMTP-Hostname>
   set authenticate enable
   set username <Username>
   set password <Password>
end
config vpn ssl settings
   set dns-suffix <DNS-Suffix>
   set dns-server1 <DNS-Server-1>
   set dns-server2 <DNS-Server-2>
   set idle-timeout 600
   set url-obscuration enable
   set port 443
   set auto-tunnel-policy disable
   set auto-tunnel-static-route disable
end
config firewall address
   edit geo_germany
      set type geography
      set color 7
      set country DE
   next
   edit host_dns_google-public-dns-a.google.com
      set visibility disable
      set color 7
      set subnet 8.8.8.8 255.255.255.255
   next
   edit host_dns_google-public-dns-b.google.com
      set visibility disable
      set color 7
      set subnet 8.8.4.4 255.255.255.255
   next
end
config firewall addrgrp
   edit hosts_dns_google
      set member host_dns_google-public-dns-a.google.com host_dns_google-public-dns-b.google.com
      set color 7
   next
end
config firewall address6
   edit host_dns_google-public-dns-a.google.com_ip6
      set ip6 2001:4860:4860::8888/128
      set visibility disable
      set color 7
   next
   edit host_dns_google-public-dns-b.google.com_ip6
      set ip6 2001:4860:4860::8844/128
      set visibility disable
      set color 7
   next
end
config firewall addrgrp6
   edit hosts_dns_google_ipv6
      set color 7
      set member host_dns_google-public-dns-a.google.com_ip6 host_dns_google-public-dns-b.google.com_ip6
   next
end
config firewall service
   edit HTTPS_8443
      set category "Web Access"
      set tcp-portrange 8443
   next
   edit HTTP_8080
      set category "Web Access"
      set tcp-portrange 8080
   next
   edit TEREDO
      set category "Tunneling"
      set comment "RFC 4380 - Teredo: Tunneling IPv6 over UDP through NATs"
      set udp-portrange 3544
   next
   edit ISCSI
      set category "Network Services"
      set tcp-portrange 3260
      set udp-portrange 3260
      set comment "iSCSI Connection Ports"
   next
   edit MARIADB5
      set category "VoIP, Messaging & Other Applications"
      set tcp-portrange 3306
      set comment "Maria DB 5 Communication Port"
   next
   edit MARIADB10
      set category "VoIP, Messaging & Other Applications"
      set tcp-portrange 3307
      set comment "Maria DB 10 Communication Port"
   next
   edit NNTPS
      set tcp-portrange 563
      set comment "NNTP over SSL"
   next
   edit APPLE_APNS
      set category "VoIP, Messaging & Other Applications"
      set comment "Apple Push Notification Service for iOS Devices"
      set tcp-portrange 443 2195 2196 5223
   next
end
config firewall service group
   edit "Services Captive Portal Exemption"
      set member DNS
   next
   edit "Services Internet Access Level 0"
      set member HTTP HTTPS PING
   next
   edit "Services Internet Access Level 1"
      set member HTTP HTTPS PING HTTPS_8443 HTTP_8080
   next
   edit "Services Internet Access Level 2"
      set member HTTP HTTPS PING FTP HTTPS_8443 HTTP_8080 IKE IMAP IMAPS L2TP POP3 POP3S PPTP RDP SMTP SMTPS SSH TRACEROUTE VNC WINFRAME
   next
   edit "Services Internet Access Level 3"
      set member ALL
   next
end
config user ldap
   edit <Domain-Name>
      set server <Domain-Controller-1-IP>
      set secondary-server <Domain-Controller-2-IP>
      set cnid sAMAccountName
      set dn DC=<Domain>,DC=<Domain>
      set type regular
      set username CN=<Service-Account>,OU=<Organizational Unit>,DC=<Domain>,DC=<Domain>
      set password <Passwort>
   next
   edit <Domain-Name>_DialIn
      set server <Domain-Controller-1-IP>
      set secondary-server <Domain-Controller-2-IP>
      set cnid sAMAccountName
      set dn DC=<Domain>,DC=<Domain>
      set type regular
      set username CN=<Service-Account>,OU=<Organizational Unit>,DC=<Domain>,DC=<Domain>
      set password <Passwort>
      set member-attr msNPAllowDialin
   next
end
config user group
   edit vpn-ssl-portal
      set member <Domain-Name>_DialIn
      config match
          set server-name <Domain-Name>_DialIn
          set group-name TRUE
      next
   end
end
config user device-group
   edit "Devices Captive Portal Exemption"
      set comment "Devices with internet access without Captive Portal authentication."
   next
   edit "Device Internet Access Level 0"
      set comment "Devices with allowed Services Internet Access Level 0"
   next
   edit "Devices Internet Access Level 1"
      set comment "Devices with allowed Services Internet Access Level 1"
   next
   edit "Devices Internet Access Level 2"
      set comment "Devices with allowed Services Internet Access Level 2"
   next
   edit "Devices Internet Access Level 3"
      set comment "Devices with allowed Services Internet Access Level 3"
   next
end
config user security-exempt-list
   edit "Captive Portal Exemption List"
      config rule
         edit 1
            set devices "Devices Captive Portal Exemption"
         next
         edit 2
            set service "Services Captive Portal Exemption"
         next
      end
   next
end
config alertemail setting
   set username <Absender-Email>
   set mailto1 <Empfänger-Email>
   set email-interval 1440
   set configuration-changes-logs enable
   set admin-login-logs enable
end

Optional: FortiGuard und/oder FortiCloud Logging/Management Anbindung

config system fortiguard
   set service-account-id <FortiGuard-ID>
   set auto-join-forticloud enable
end
config log fortiguard setting
   set status enable
end
config log fortiguard filter
   set severity warning
end
config system central-management
   set mode backup
   set type fortiguard
end

Optional: Interface Konfigurationen und Bandbreiteneinstellung.
Im folgenden Beispiel gehen wir von folgenden Annahmen aus:

  • Modell: SOHO Fortigate mit WAN1/WAN2/INTERNAL/DMZ Ports (z.B. Fortigate 60er Modelle)
  • Anbindung WAN1/WAN2 (Zone WAN): PPPoE (Telekom) / 50MBit/s Upstream / 10MBit/s Downstream
config system zone
   edit wan
      set intrazone disable
      set interface wan1 wan2
   next
end
config system interface
   edit wan1
      set mode pppoe
      set estimated-upstream-bandwidth 10000
      set estimated-downstream-bandwidth 50000
      set username <PPPoE-Login-Daten>@t-online.de
      set password <PPPoE Passwort>
      set dns-server-override-disable
      set mtu-override enable
      set mtu 1492
      unset allowaccess
   next
   edit wan2
      set mode pppoe
      set estimated-upstream-bandwidth 10000
      set estimated-downstream-bandwidth 50000
      set username <PPPoE-Login-Daten>@t-online.de
      set password <PPPoE Passwort>
      set dns-server-override-disable
      set mtu-override enable
      set mtu 1492
      unset allowaccess
   next
   edit internal
      set allowaccess ping https ssh capwap
      set device-identification enable
      set device-identification-active-scan enable
   next
   edit dmz
      set allowaccess ping
      set device-identification enable
      set device-identification-active-scan enable
   next
end

Optional: Wireless Konfiguration & AP Provisioning

config system global
   set gui-wireless-opensecurity enable
end
config wireless-controller setting
   set country DE
end 
config wireless-controller wtp-profile
   edit <WTP-Profile-Name>
      config platform
         set type <AP-Modell>
      end
      set ap-country DE
      config radio-1
         set band 802.11n,g-only
         set vap-all enable
      end
      config radio-2
         set band 802.11ac
         set channel-bonding 80MHz
         set vap-all enable
      end
   next
end
config wireless-controller wtp
   edit <AP-Serial>
      set admin enable
      set wtp-profile <WTP-Profile-Name>
      set override-allowaccess enable
      set allowaccess https ssh
      set override-login-passwd-change enable
      set login-passwd-change default
   next
end

Im Anschluss erfolgt die Fein-Konfiguration nach Anforderung.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.