Fortigate Firewall: Securing the Administrator Access from Remote Connection

As of late, we are receiving several unwanted attacks from China IP Addresses trying to have remote access to our Fortigate Firewall via Public IP. We are currently using DynDNS due to dynamic IP address allocation from our ISP. Unfortunately, subscribing to static IP address is expensive. Moreover, we have a couple of branch offices connected via Site to Site VPN and, also, remote access VPN for employees who need to work remotely while not in the office. However, there are always risks involved when you are exposing your firewall on its Public IP. Recently, we have been receiving brute force attacks from China IP addresses resulting in internet outage and Denial of Service in our office network. For these reasons, we needed to enforce the secure admin access over the remote connection feature of FortiGate firewalls. We have implemented the secure access methods, namely the Fortitoken two-factor authentication and Trusted Hosts.

 

  1. FortiToken Two Factor Authentication

picture1

FortiToken allows you to easily enable two-factor authentication for access to protected networks and security devices. FortiToken Mobile is a Fortinet application that enables you to generate One Time Passwords (OTPs) on a mobile device for FortiGate two-factor authentication. The user’s mobile device and the FortiGate unit must be connected to the Internet to activate FortiToken mobile. Once activated, users can generate OTPs on their mobile device without having network access.

 

To assign a token to an administrator go to System > Administrators and either add a new or select an existing administrator to assign the token to. Configure the administrator as required, you need to enter your email address and phone number in order to receive the activation code for the FortiToken mobile.

Select Enable Two-factor Authentication. Select the token to associate with the administrator. Select OK to assign the token to the administrator.

Picture2

Whenever an admin is logging screen, the login prompt will always ask for token code.

picture3

  1. Trusted Hosts IP Addresses

 

Setting trusted hosts for administrators limits what computers an administrator can log in the FortiGate unit from. When you identify a trusted host, the FortiGate unit will only accept the administrator’s login from the configured IP address or subnet. Any attempt to log in with the same credentials from any other IP address or any other subnet will be dropped. To ensure the administrator has access from different locations, you can enter up to ten IP addresses or subnets. Ideally, this should be kept to a minimum. For higher security, use an IP address with a net mask of 255.255.255.255, and enter an IP address (non-zero) in each of the three default trusted host fields.

picture4

 

Trusted hosts are configured when adding a new administrator by going to System > Administrators in the web-based manager and selecting Restrict this Admin Login from Trusted Hosts Only, or config system admin in the CLI.

 

The trusted hosts apply to the web-based manager, ping, snmp and the CLI when accessed through SSH. CLI access through the console port is not affected.

Also ensure all entries contain actual IP addresses, not the default 0.0.0.0.

 

 

Preventive Measures

 

If these security measures do not inhibit the brute force attacks, the next step is to enable port forwarding or using uncommon ports because currently we are using default ports for www(80), https(443) and ssh(22). Change the default administrative port to a non-standard port

Administration Settings under System > Settings or config system global in the CLI, enable you to change the default port configurations for administrative connections to the FortiGate unit for added security. When connecting to the FortiGate unit when the port has changed, the port must be included. For example, if you are connecting to the FortiGate unit using HTTPS over port 8081, the URL would be https://192.168.100.1:8081

 

If you make a change to the default port number for HTTP, HTTPS, Telnet, or SSH, ensure that the port number is not used for other services.

 

 

References:

 

https://cookbook.fortinet.com/fortitoken/index.html

 

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-hardening-54/when_enabling_remote_access.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s