Fortinet 60E hardening

Security is a journey not a destination.

Cyber Patriot

What Is CyberPatriot?

​CyberPatriot is the National Youth Cyber Education Program created by the Air Force Association to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM) disciplines critical to our nation’s future. ​At the core of the program is the National Youth Cyber Defense Competition, the nation’s largest cyber defense competition that puts high school and middle school students in charge of securing virtual networks. Other programs include AFA CyberCamps, an elementary school cyber education initiative, a children’s literature series, and CyberGenerations –a cyber safety initiative geared toward keeping senior citizens safe online

Hardening the Fortinet

1.) Interfaces:  Remove everything except ping from WAN1 and WAN2.  This will prevent anyone from the outside access to the admin console. 

Only allow HTTPS and SSH on the other interfaces. 

System – Settings: Choose redirect to https. 

2.) System – Settings: Change the https port to something other than 443. 

Web Application Firewall

Every PHP code hardening page includes using a WAF: Web Application Firewall.  This is on the Fortinet 60E.  SQL Injection is blocked at the Fortinet 60E.  This is the default setup.  I have changed it.

Certificate

Below this area is how I generate my 5 name certificate.  Main name is the CN.  DNS.x are your other names.   You copy the entire block and run it on your linux server.  It generates your key file, 5Cert.key and you certificate CSR, 5Cert.csr.

openssl -req -new -sha256 -nodes -out \5Cert.csr -newkey rsa:2048 -keyout \5Cert.key -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=State
L=City
O=Organization
OU=
emailAddress=
CN = www.domain.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 =
DNS.2 =
DNS.3 =
DNS.4 =
EOF

On Fortigate CLI

Configure Fortigate unit to use the newly imported certificate HTTPS admin access.

# config sys global
# set admin-server-cert
# end

#config firewall policy
#edit
#set auth-cert
#set auth-redirect-addr “FGT.example.com”
#end

#config user setting
#set auth-cert
#set auth-secure-http enable
#end

Security Profiles

Installing phpMyAdmin was the best tool I installed for creating databases and running scripts.  To protect it, I moved it to its own port. phpMyAdmin made doing this project possible with a GUI package to see the data in the tables and work on them. 

phpMyAdmin Download page