I have another tip for you: Change the self-signed certificate!!! Fortinet has the device serial number in it's certificate. If you have a partner-account with Fortinet, you'll be able to look up the status of it's support and licensing. If it expired 6 months ago, you'll have 6 months of zero-days the Fortinet-appliance will never detect. It's easy to do in 5 minutes. I used to give this to my students as an extra assignment if they had to wait for the rest of class to finish their other assignments. Better not to use the admin-port on the internet, but that's not always an option. Changing the certificate is.
One tip that comes to mind is create and use geographical address objects. For example, if your company is based in the States, create a geo-usa address object and attach it to your incoming SSL-VPN connection policy so that only IP addresses from the geographical USA are allowed. This is also good for DMZ servers that should only be accessed from within a geographical region.
If you have more than 2 admins, just buy a few more. 5 extra tokens are only $300 list price (you'll get a discount). really cheap for tokens that never will expire.
great info! i'm a sonicwall guy, but still watch all your videos as things such as this cross-over. luckily i was already doing everything you mentioned and constantly review my configs.
Great videos, will you do a troubleshooting video using the fortinet tools in the future? Like the packet capture, debug flow and packet sniffer... Others may not know how easy it is to troubleshoot from there own device.
I generally don't delete admin or root accounts. If you can''t rename it give it a very long password and then disable the account. I always create a new admin account using a completely different name so hackers can't guess it. On Linux servers make sure root don't have the ability to log into ssh.
Some best practice standards / regulatory requirements (I hate saying that because best practice is dependent on the risk apatite of the organization) recommend or require the deletion or renaming of the default admin account.
Great video Can you make a video about policy setup on fortinet when domain member PC is required in DMZ zone. How do you set it up and which traffic do you pass from DMZ ->INSIDE
Love the videos Mike. You break the steps down into layman's terms and it's made understanding concepts much easier. In regard to port 541 for Fgm access, is there a way to restrict this to forticloud ips? I assume by editing local in policies via cli. Find it odd they would leave 541 unrestricted for the mgmt from forticloud
I try to use Geolocation objects to scope access to 1) Internet facing websites (i.e. the ticketing system for a regional business doesn't need access from IP addresses sourced from Asia), 2) the remote access VPN, 3) HTTPS/SSH access if it must be available on the WAN interface. While an attacker could easily proxy through a US VPN to get around this, no sense in making it too easy for them.
Is there a way to add an address object to trusted hosts? I have done this on other firewalls, Sonicwalls recently, and it makes it much easier for "future proofing"
Hi Guru, urgently need help. I have convert config from McAfee to fortifate used by forticonvertor however not able to export config. I don't have licence for forticonvertor. Is there another way to do it.
Hey, I have problem with fortigate... Its brand new and when I just add security profile to my policy whole company cant acces office 365 :( they have certificate error for office things. Pls help
hello... i need one help please..... i have 1 ill with 5 static ip's provided by isp... how do i utilize all the ips as redundant... 2nd question is if we have 2 different isp's then we want to use both the isp in sdwan / isp groupings with one single virtual ip as fail over(means ISP "A" goes down traffic should flow with ISP "B" with minimal disruption to link) please advice as i'm new to this form.. thank you
How about setting up a VIP and port on the WAN interface for the LAN interface, then you can create a policy that allows specific IPs to hit the VIP ports for ssh and https access? Then you can disable all management protocols on the WAM interface. Thoughts?
I would rather use a hardened device (fortigate) vs punching a hole straight into the network and having to secure the policy AND the end device that is being used as a jump box. That’s just me though.
Fortinet Guru Sorry, I wasn’t clear. The VIP maps to the LAN address of the Fortigate. So in effect, from the Internet you are hitting the LAN mgmt interfaces directly, restricted by source IP using an IPv4 policy.
Oh, well in that case it is kinda redundant right? You could just use local in policy to whitelist who can talk on the outside interface and achieve the same thing without potentially providing internal access.
Fortinet Guru Local in, for sure. I just wish Fortinet made it easier to modify the Local in policy. Don’t get me wrong, I’m not afraid of cli, but man, this shouldn’t be that hard. By the way, thx for the great videos. I’m still draining my system of years of Cisco Pix/ASA.
I didn’t define which type of VPN. Also, not being argumentative. You are administering the box through some means you just have layers of security on top of it before you can hit that.
You mean they are just hitting the outside address of the firewall? If that is the case you can just disable ping https http etc on the outside interface.
@@FortinetGuru yes, i see the brute force with those IP's, we also have admins accessing management on WAN and we cannot set trusted hosts, is there a way we could block access for such IP's and is there a way we could set IPS policy which could block or stop them?
![[กูเพิ่งซื้อมึงปิดหนี] 20 นาที ผมรีวิวเกมที่แย่ที่สุดในโลก CONCORD](http://i.ytimg.com/vi/XhC-3q3Ii7I/mqdefault.jpg)
![[Re:all TREASURE] EP.6 in 방콕ㅣ🚩 쩡캠의 방콕 투어 빵 마이 와이 👍](http://i.ytimg.com/vi/uyFw-nItA_s/mqdefault.jpg)
What tips and tricks about security hardening do you have? Post them below!
I have another tip for you: Change the self-signed certificate!!! Fortinet has the device serial number in it's certificate. If you have a partner-account with Fortinet, you'll be able to look up the status of it's support and licensing. If it expired 6 months ago, you'll have 6 months of zero-days the Fortinet-appliance will never detect. It's easy to do in 5 minutes. I used to give this to my students as an extra assignment if they had to wait for the rest of class to finish their other assignments. Better not to use the admin-port on the internet, but that's not always an option. Changing the certificate is.
Hi Danny, could you explain how to do it? regards from Argentina 😉
This doesn't make sense to me...
One tip that comes to mind is create and use geographical address objects. For example, if your company is based in the States, create a geo-usa address object and attach it to your incoming SSL-VPN connection policy so that only IP addresses from the geographical USA are allowed. This is also good for DMZ servers that should only be accessed from within a geographical region.
Absolutely. Wonderful tip
That was really a concise package of Fortigate security hardnening.. Your videos are really helpful for me.. Great work man.
Nice. I’m new to fortigate and this was great. Lead architect and customer will be happy with these simple hardening changes.
The two built-in free FortiToken are very helpful.Thanks for the video.
No problem. Glad it was beneficial!
If you have more than 2 admins, just buy a few more. 5 extra tokens are only $300 list price (you'll get a discount). really cheap for tokens that never will expire.
great info! i'm a sonicwall guy, but still watch all your videos as things such as this cross-over. luckily i was already doing everything you mentioned and constantly review my configs.
Awesome. I’ve been half tempted to make a channel about firewalls in general just to help educate and assist.
Nice one!
Great videos, will you do a troubleshooting video using the fortinet tools in the future? Like the packet capture, debug flow and packet sniffer... Others may not know how easy it is to troubleshoot from there own device.
Absolutely.
Good suggestion
I generally don't delete admin or root accounts. If you can''t rename it give it a very long password and then disable the account. I always create a new admin account using a completely different name so hackers can't guess it. On Linux servers make sure root don't have the ability to log into ssh.
Some best practice standards / regulatory requirements (I hate saying that because best practice is dependent on the risk apatite of the organization) recommend or require the deletion or renaming of the default admin account.
Great video
Can you make a video about policy setup on fortinet when domain member PC is required in DMZ zone. How do you set it up and which traffic do you pass from DMZ ->INSIDE
Will add it to the list
Thanks
Keep up the good work
Love the videos Mike. You break the steps down into layman's terms and it's made understanding concepts much easier. In regard to port 541 for Fgm access, is there a way to restrict this to forticloud ips? I assume by editing local in policies via cli. Find it odd they would leave 541 unrestricted for the mgmt from forticloud
(7:55) why not just rename admin in first place? why create new_account + use new_account and delete orig_admin?
Excellent content as always Mike!
Thanks friend
I try to use Geolocation objects to scope access to 1) Internet facing websites (i.e. the ticketing system for a regional business doesn't need access from IP addresses sourced from Asia), 2) the remote access VPN, 3) HTTPS/SSH access if it must be available on the WAN interface. While an attacker could easily proxy through a US VPN to get around this, no sense in making it too easy for them.
Great video!! Nice new improvements overall (tooltips) 👍
Thanks Ravi!
Is there a way to add an address object to trusted hosts? I have done this on other firewalls, Sonicwalls recently, and it makes it much easier for "future proofing"
Good stuff...thanks !!
you are awesome
Much appreciated!
Is it possible to configuring the maximum log in attempts and lockout period from the gui? 6.4.9 ?
Nice bro
Hi Guru, urgently need help. I have convert config from McAfee to fortifate used by forticonvertor however not able to export config. I don't have licence for forticonvertor. Is there another way to do it.
Hey, I have problem with fortigate... Its brand new and when I just add security profile to my policy whole company cant acces office 365 :( they have certificate error for office things. Pls help
hello... i need one help please..... i have 1 ill with 5 static ip's provided by isp... how do i utilize all the ips as redundant... 2nd question is if we have 2 different isp's then we want to use both the isp in sdwan / isp groupings with one single virtual ip as fail over(means ISP "A" goes down traffic should flow with ISP "B" with minimal disruption to link) please advice as i'm new to this form.. thank you
If you want the same IP space between multiple providers you are normally looking at BGP.
How about setting up a VIP and port on the WAN interface for the LAN interface, then you can create a policy that allows specific IPs to hit the VIP ports for ssh and https access? Then you can disable all management protocols on the WAM interface. Thoughts?
I would rather use a hardened device (fortigate) vs punching a hole straight into the network and having to secure the policy AND the end device that is being used as a jump box. That’s just me though.
Fortinet Guru Sorry, I wasn’t clear. The VIP maps to the LAN address of the Fortigate. So in effect, from the Internet you are hitting the LAN mgmt interfaces directly, restricted by source IP using an IPv4 policy.
Oh, well in that case it is kinda redundant right? You could just use local in policy to whitelist who can talk on the outside interface and achieve the same thing without potentially providing internal access.
Fortinet Guru Local in, for sure. I just wish Fortinet made it easier to modify the Local in policy. Don’t get me wrong, I’m not afraid of cli, but man, this shouldn’t be that hard. By the way, thx for the great videos. I’m still draining my system of years of Cisco Pix/ASA.
No problem at all. I’m all for Cisco routers and switches. I despise ASAs though and the newer gear just ain’t up to Palo fortinet caliber.
I never administer using SSH or HTTPS, those are disabled. If I want to administer, I first connect via VPN.
You are using ssh or https, just via a different interface unless you are vpn connecting and using a serial console device.
@@FortinetGuru Not to be argumentative, but we use IPSec, not SSL.
I didn’t define which type of VPN. Also, not being argumentative. You are administering the box through some means you just have layers of security on top of it before you can hit that.
I see 2 IP addresses that are hitting my firewall from outside that I want to block how will I do that?
You mean they are just hitting the outside address of the firewall? If that is the case you can just disable ping https http etc on the outside interface.
@@FortinetGuru yes, i see the brute force with those IP's, we also have admins accessing management on WAN and we cannot set trusted hosts, is there a way we could block access for such IP's and is there a way we could set IPS policy which could block or stop them?
@@mdabdulmoiz The best solution would be turn off external management and setup vpn for your admins
@@techlover1 what i did was added trusted hosts for mangement users, that solved the problem now i don't see random hits from WAN
Obscurity is not security