Fortinet 60E hardening

This is the policy route that allows access to the cable routers on WAN1 and WAN2 of the Fortinet 60E.

Fortinet Global Threat Reports

Global Threat Report August 2021
Global Threat Report Feb 2022

Security is a journey not a destination.

Cyber Patriot

What Is CyberPatriot?

​CyberPatriot is the National Youth Cyber Education Program created by the Air Force Association to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM) disciplines critical to our nation’s future. ​At the core of the program is the National Youth Cyber Defense Competition, the nation’s largest cyber defense competition that puts high school and middle school students in charge of securing virtual networks. Other programs include AFA CyberCamps, an elementary school cyber education initiative, a children’s literature series, and CyberGenerations –a cyber safety initiative geared toward keeping senior citizens safe online

Hardening the Fortinet

I have been working on the Security Fabric -Security Rating area.  It covers all aspects of hardening down your Fortinet.  

1.) Setup the Wireless Access Points to be outward facing.  They can’t access the internal network.
2.) I moved the TV and other AV components to a separate subnet and interface and made it outward facing only.
3.) Interfaces:  Remove everything including ping from WAN1 and WAN2.  This will prevent anyone from the outside access to the admin console.
4.) Removing unused policies and created new policy groups based on interfaces.
5.) Setting up IPv6 policies.

Only allow HTTPS and SSH on the other interfaces.  System – Settings: Choose redirect to https.
6.) System – Settings: Change the https port to something other than 443.
7.) Fortinet has 2FA on administrator users
8.) SSH 2FA on all Ubuntu servers
9.) Configuring IPV6 on all interfaces and WAP SSIDs

Web Application Firewall

Every PHP code hardening page includes using a WAF: Web Application Firewall.  This is on the Fortinet 60E.  SQL Injection is blocked at the Fortinet 60E.  This is the default setup.  I have changed it.

Certificate

Below this area is how I generate my 5 name certificate.  Main name is the CN.  DNS.x are your other names.   You copy the entire block and run it on your linux server.  It generates your key file, 5Cert.key and you certificate CSR, 5Cert.csr.

openssl -req -new -sha256 -nodes -out \5Cert.csr -newkey rsa:2048 -keyout \5Cert.key -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=State
L=City
O=Organization
OU=
emailAddress=
CN = www.domain.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 =
DNS.2 =
DNS.3 =
DNS.4 =
EOF

On Fortigate CLI

Configure Fortigate unit to use the newly imported certificate HTTPS admin access.

# config sys global
# set admin-server-cert
# end

#config firewall policy
#edit
#set auth-cert
#set auth-redirect-addr “FGT.example.com”
#end

#config user setting
#set auth-cert
#set auth-secure-http enable
#end

Security Profiles

Installing phpMyAdmin was the best tool I installed for creating databases and running scripts.  To protect it, I moved it to its own port. phpMyAdmin made doing this project possible with a GUI package to see the data in the tables and work on them. 

phpMyAdmin Download page