.. Cyber-criminals pose a serious threat to businesses today. That’s why we’re sharing our FortiGate firewall expertise with you.
Our security team has provided Firewall Management Services for decades. Now, we’re publishing our best practices to help you better protect your organization.
We’ll walk through FortiGate firewall configurations step by step, showing you how to implement them correctly for maximum security.
Table of Contents
FortiGate Best Practices
Below are key practices we use when auditing FortiGate firewalls for our Management Firewall Service. We’ve excluded default FortiGate security measures (like disabled SNMP agents) to focus on additional protections.
Management & VDOMs
VDOMs
Virtual Domains (VDOMs) represent the optimal approach to FortiGate firewall management, enabling the system to function as multiple independent firewalls while maintaining centralized control through a single GUI interface.
We recommend implementing a dedicated VDOM for management purposes whenever possible. For instance, designate the “root” VDOM to handle management traffic exclusively, while creating a separate VDOM for data traffic. This architecture can be further enhanced by establishing specialized VDOMs for departmental segmentation, production/non-production environments, or other organizational divisions.
Management and Administration
We have general guidelines for the management of a FortiGate Firewall. Below is a part of our list:
Have Post and Pre login banners (reference)
Why: This banner should, at the very least, prohibit any unauthorized access, notify users of any logging or monitoring activity, and refrain from using language that could be perceived as an invitation (e.g. “welcome“).
How:
config system global
set pre-login-banner enable
set post-login-banner enable
Configure proper Timezone and NTP(by default FortiGate uses Fortiguard NTP, you can change via CLI):
Why: It is essential to have accurate timestamps when correlating events with other systems, troubleshooting, or performing DFIR work.
How:
Login to FortiGate Go to 'System' -> 'Settings'. Time Zone and NTP settings are under 'System Time'
Disable USB Firmware and configuration installation
Why: Disabling USB port for auto-install prevents a USB from being connected with a manipulated configuration or incorrect firmware from being connected and loaded automatically.
How:
config system auto-install
set auto-install-config disable
set auto-install-image disable
end
Have a strong password policy
Why: You would always want that administrators use a strong password that cannot be easily be bruteforced.
How:
config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 15
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end
Make sure to have only SNMPv3 enabled (disable SNMPv1/v2)
Why: SNMP Version 3 provides improved security compared to SNMP Versions 1 and 2c as it introduces authentication and privacy options. SNMPv2/v1 are clear-text.
How:
FG_HIFENCE # config system snmp user
FG_HIFENCE (user) # edit "HIFENCE_SNMP"
FG_HIFENCE (HIFENCE_SNMP) # set security-level auth-priv
FG_HIFENCE (HIFENCE_SNMP) # set auth-proto sha256
FG_HIFENCE (HIFENCE_SNMP) # set auth-pwd xxxx
FG_HIFENCE (HIFENCE_SNMP) # set priv-proto aes256
FG_HIFENCE (HIFENCE_SNMP) # set priv_pwd xxxx
FG_HIFENCE (HIFENCE_SNMP) # end
Admin Authentication must have specific trusted hosts enabled and set
Why: To secure an administrative account, configure it to be accessible only from a trusted host with a specific IP address or subnet. This will prevent unauthorized access from any other network segment. Anyone attempting to access the account from outside the specific segment will be denied access. This will imply that administrators working remotely must have access to a jump host in the allowed segment to gain access.
How:
FG_HIFENCE # config system admin
FG_HIFENCE (admin) # edit "hifence_admin"
FG_HIFENCE (hifence_admin) # show
config system admin edit "hifence_admin"
set trusthost1 10.255.255.0 255.255.255.0
set trusthost2 10.200.255.0 255.255.255.0
next
end
Only encrypted protocols are allowed for the management of the firewall
Why: By only allowing encrypted protocols (HTTPS/SSH), we are making sure that the traffic is not sniffed by a man-in-the-middle attack.
How:
FG_HIFENCE # config system interface
FG_HIFENCE (interface) # edit port1
FG_HIFENCE (port1) # set allowaccess ssh https
FG_HIFENCE (port1) # end
FG_HIFENCE #
Configure HA, Monitor Interfaces and Reserve Management Interface
Configuring High Availability (HA) increases system availability as well as decreases the impact of routine maintenance like updates and the impact of device failure.
With Interface Monitoring enabled on devices failover can occur if there are physical media issues or issues with the specific port that the FortiGate is connected to (reference). Use dedicated interfaces or VLANs for heartbeats and configuration syncs! You do not want to lose heartbeats when you have a spike in normal data traffic.
By assigning an interface to be used as a “Reserved Management Interface”, we can make sure we can access the firewalls individually without them being fully-synced (the management interface assigned will not be synced in this setup).
Configure HA as active/passive
Based on our experience, most of the enterprises really use an Active/Passive setup and we have rarely seen a use-case where Active/Active was used and needed (except Public Clouds).
Some advantages of using active/passive vs active/active are:
1. When you make a change, you do it only once (on the active unit) and you do not need any other equipment (like a FortiManager) to configure it on the other firewall node
2. Easier troubleshooting: you know for sure which unit is processing the traffic and then the troubleshooting and fixing time is faster
3. Failover happens fast as devices sync their sessions
4. You can do failover by using monitored interfaces as presented above
5. No over-subscription. In active/active if the load on the FortiGate goes above 50% on both units and one unit fails, the other one will NOT be able to handle the traffic. To be fair, in active/active you get to use both firewalls capacities so there are downsides to both.
Network – Interfaces & Zones
Allow only ping on non-management interfaces
Why: There is NO need to have other management traffic be available on the Fortigate except for the management interface.
How: Go to the interface level and allow only “ping” as an allowed protocol.
Add only VLAN interfaces to zones, not a physical interface
Why: Why lose physical interfaces when you can take advantage of using VLAN interfaces? This way, you have enough available physical interfaces to further expand your environment as needed.
How: Create VLAN interfaces and assign those to the zones you created
Make sure that intra-zone traffic is denied
Why: This helps you to not make mistakes when assigning a new interface to a zone and then by “default” all traffic between the interfaces of the zones is allowed. This makes sure that only specific, authorized traffic is allowed between networks in the same zone.
How:
FG_HIFENCE # config system zone
FG_HIFENCE (zone) # edit ZONE1
FG_HIFENCE (ZONE1) # show full config system
zone edit “ZONE1
set intrazone deny
next
end
Configure DNS Server
Why: Fortinet uses the Domain Name Service (DNS) to translate host names into IP addresses. You need to configure a DNS server to properly enable DNS lookups. Hint: Fortigate checks first the primary DNS server and in case a time-out occurs, it goes for a second or third.
How:
FG_HIFENCE # config system dns FG_HIFENCE (dns) # set primary 1.1.1.1 FG_HIFENCE (dns) # set secondary 8.8.8.8 FG_HIFENCE (dns) # end FG_HIFENCE #
Firewall Policies & Objects
Put the mostly used firewalls on top
Why: This helps the firewall in finding a match fast, without passing all the firewall rules. This saves you on CPU time
How: This can be done by checking the utilization of each firewall policy and moving the most used ones to the top.
Log ALL traffic
Why: You would need this for compliance, future investigations, and reporting.
How: On each and every firewall policy you should have logging enabled.
Make sure that policies without any hits are reviewed regularly.
Why: This helps with the proper management of the firewall. Unused firewall rules can sometimes start being used, if a former “deleted” host entry starts appearing in the networking and “inherits” the previous host’s access rights.
How: Check the GUI for policy hits. See more info here
Make sure that there aren’t any firewall policies with “ALL” as service
Why: This should be pretty obvious. You do NOT want full access to the Internet or any other network segment without a good business reason
How: Check the GUI in the Firewall Policy and filter by services. Make sure there is no “ALL” as service.
Security Profiles
Antivirus, DNS, File Filter
Make sure that Antivirus Definition push updates are configured and enabled on policies
Why: Well who wouldn’t want to be updated as soon as a new AV signature is present? You also must make sure that those are enabled on firewall interfaces!
How:
config system autoupdate
set status enable
end
Enable Botnet C&C Domain Blocking DNS Filter
Why: You would want to block access to botnets at the DNS resolution phase. This helps identify compromised hosts if you have adequately integrated the firewall logs with a SIEM.
How: Go to Security Profiles > DNS Filter and make sure that “redirect botnet C&C requests to Block portal” is enabled. Don’t forget that you need to enable it on the firewall policies as well!
Always have SSL inspection configured before using Web Filter, IPS, or Application Control
Why: To properly inspect all traffic you must have deep SSL inspection configured. This is needed as most applications or web traffic is encrypted in within an SSL tunnel. Without it, the functionality is limited.
How: We will create an SSL inspection guide, but for the moment, please use this reference.
Always block QUIC protocol on the Fortigate
Why: The QUIC protocol can cause issues when you are trying to do WebFilter, Application Control, or IPS. This is because QUIC can sometimes bypass any transparent proxy that you might have(see reference)
How: Just go to the top of the firewall rules and block UDP port 80 and port 443. Another option is to enable the checkbox “QUIC” and sent to block in the application control profile.
VPN and SSL-VPN
Always use MFA for SSL VPN users
Why: As the SSL VPN portal is Internet-facing, you want to make sure that any authentication is using an MFA.
How: Create a Radius server (NPS or any others) and integrate it with Azure MFA/Cisco Duo/etc. If you do not know how our IT consultants can always help.
User Authentication (FSSO, Radius, Local)
Deploy FSSO in DC Agent mode and NOT Polling mode
Why: In our experience, in Polling mode, there is a big chance (in bigger environments) that you will lose authentication security events. This will create frustration for the users in case you are using those groups for Web Authentication
How: When deploying the FSSO Collector agent on a Domain Controller, always use DC-Agent Mode. Reference
Logging and Reporting
Event and Centralized Logging
Enable Event Logging
Why: Enabling event logging generates logs that can be stored for review and auditing or can be integrated with a SIEM.
How:
config log eventfilter
set event enable
end
Centralized Logging and Reporting
Why: Device logs should be sent to a centralized device for log collection, retention, and reporting. This could be a SIEM. syslog, FortiAnalyzer, etc.
How: See reference
Need Expert Firewall Management?
With over a decade of cybersecurity expertise, HIFENCE’s security professionals deliver comprehensive Managed Firewall services that include:
- 24/7 monitoring and threat detection
- Expert configuration and optimization
- Rapid incident response
- Regular security updates and patching
- Detailed compliance reporting
- Proactive threat hunting
Our team doesn’t just manage your FortiGate firewalls—we transform them into a robust security solution tailored to your organization’s unique needs.
Protect your infrastructure from today’s most sophisticated threats with HIFENCE’s managed security services.
Ready to strengthen your security posture? Contact HIFENCE today for a consultation.