(Name of Firewall) firewall

Procedure and Guidelines

Document
Table of Contents
1. Policy Statement......................................................................................................................................... 5
2. Introduction................................................................................................................................................. 5
3. FortiGate Firewall....................................................................................................................................... 5
3.1 Forti GATE Dashboard................................................................................................................................. 5
3.2 Dashboard for Internal Firewall (DC-BLP).................................................................................................. 6
3.3 Dashboard for Internet Firewall (DC-BLP)................................................................................................. 6
4. Firewall Interface........................................................................................................................................ 7
5. Static routes................................................................................................................................................ 8
6. Fortinet High-Availability (Active/Passive)............................................................................................... 9
7. Address and Group.................................................................................................................................. 10
7.1 Address Group........................................................................................................................................... 11
7.2 Policy & Object > Addresses >Create New >Address Group.................................................................12
7.3 To edit existing Address Group................................................................................................................ 13
8. Services..................................................................................................................................................... 13
8.1 To create the port services........................................................................................................................ 14
8.2 To create the service Group...................................................................................................................... 14
8.3 Select the service member to add the services.......................................................................................15
9. Firewall Policy........................................................................................................................................... 15
9.1 To create policy.......................................................................................................................................... 16
9.2 Enable Security blades.............................................................................................................................. 17
10. SSL (Secure Socket Layer)...................................................................................................................... 17
10.1 SSL VPN modes of operation.................................................................................................................. 18
10.2 Web-only mode........................................................................................................................................ 18
10.3 Portal configuration................................................................................................................................. 19
10.4 SSL VPN setting....................................................................................................................................... 20
11. LDAP integration...................................................................................................................................... 21
12. Firewall Users........................................................................................................................................... 21
13. IPS.............................................................................................................................................................. 21
14. Static and Dynamic NAT.......................................................................................................................... 21
15. Monitoring................................................................................................................................................. 23
16. Exceptions................................................................................................................................................ 27
17. Annexure................................................................................................................................................... 28

3
Proprietary Notice

This document is the property of ____________ and is intended to be used only for the
purpose of the ________ project. The contents are not to be used or reproduced elsewhere
without express written approval from ____ and ______.

4
1. Policy Statement
Team One Technologies shall develop and implement centralized
Firewall management by adapting appropriate architecture so that
suspicious traffic will not enter Bay Capital network.

2. Introduction
FortiGate appliances provide cost-effective, comprehensive protection against network,
content, and application-level threats, including complex attacks favored by cybercriminals,
without degrading network availability and uptime. FortiGate platforms include sophisticated
networking features, such as high availability (active/active, active/passive) for maximum
network uptime, and virtual domain capabilities to separate various networks requiring
different security policies.

3. FortiGate Firewall
3.1 Forti GATE Dashboard

The Dashboard consists of a number of widgets, each displaying a different set of

information. A number of pre-configured widgets are available which can be customized to
meet needs.

To choose which widgets will be shown, select + Widget (located in the bottom left
corner) and select the widget one wish to view, which will add it to the dashboard.
Widgets can be rearranged for easier access and viewing.
Some display options are available each widget, that can be accessed by selecting the
button.

The Dashboard contains the following widgets:

•System Information
•License Information
•CLI Console
•System Resources
•Alert Message Console
•Unit Operation
•Advanced Threat Protection Statistics

5
3.2 Dashboard for Internal Firewall (DC-BLP)

3.3 Dashboard for Internet Firewall (DC-BLP)

6
 4. Firewall Interface
Interfaces, both physical and virtual, enable traffic to flow to and from the internal network,
Internet and between internal networks. The FortiGate unit has a number of options for
setting up interfaces and groupings of subnetworks that can scale to a company’s growing
requirements.

FortiGate units have a number of physical ports where we can connect ethernet or optical
cables. Depending on the model, they can have anywhere from four to 40 physical ports.
Some units have a grouping of ports labelled as internal, providing a built-in switch
functionality.

In FortiOS, the port names, as labeled on the FortiGate unit, appear in the web-based
manager in the Unit Operation widget, found on the Dashboard. They also appear when you
are configuring the interfaces, by going to Network > Interface.
Interface for Internal Firewall (DC-BLP)

7
Interface for External Firewall (DC-BLP)

5. Static routes

With the rest of the FortiGate unit configured, static routing is the last step before moving on
to the rest of the local network. All traffic on the local network will be routed according to
this static routing entry.

To configure Fortinet unit static routing from GUI Network > Static route > Create NEW.

8
To edit existing static route

Network > Static route > Click the route > Edit

6. Fortinet High-Availability (Active/Passive)

The basic high availability (HA) for TCP/IP networks and security gateways is keeping
network traffic flowing. Uninterrupted traffic flow is a critical component for online systems
and media because critical business processes quickly come to a halt when the network is
down.

The security gateway is a crucial component of most networks since all traffic passes
through it. A standalone network security gateway is a single point of failure that is
vulnerable to any number of software or hardware problems that could compromise the
device and bring all traffic on the network to a halt.

A common solution to the high availability problem is to eliminate the security gateway as
single point of failure by introducing redundancy. With two or more redundant security
gateways, if one fails, the remaining one or more gateways keep the traffic flowing. Firewall
HA Mode is deployed in KRCL.

To check the HA status

System > HA
Internal Firewall (DC-BLP)

9
 7. Address and Group
Firewall addresses define sources and destinations of network traffic and are used when
creating policies. When properly set up these firewall objects can be used with great
flexibility to make the configuration of firewall policies simpler and more intuitive. The
FortiGate unit compares the IP addresses contained in packet headers with a security
policy’s source and destination addresses to determine if the security policy matches the
traffic.

To create the new address

Policy & Object > Addresses >Create New >Address

10
 7.1 Address Group

Address groups are designed for ease of use in the administration of the device. If you have
a number of addresses or address ranges that will commonly be treated the same or require
the same security policies, you can put them into address groups, rather than entering
multiple individual addresses in each policy refers to them.

The use of groups is not required. If you have a number of different addresses you could add
them individually to a policy and the FortiGate firewall will process them just as quickly and
efficiently as if they were in a group, but the chances are that if you have used a group once
you could need to use it again and depending on the number of addresses involved entering
them individually for each policy can become tedious and the likelihood of an address being
missed becomes greater. If you have a number of policies using that combination of
addresses it is much easier to add or subtract addresses from the group than to try and
remember all of the firewall policies that combination of addresses was used in. With the
group, you only have to make the one edit and it is used by any firewall policy using that
address group.

Because security policies require addresses with homogenous network interfaces, address
groups should contain only addresses bound to the same network interface, or to any.

11
 7.2 Policy & Object > Addresses >Create New >Address Group

After click on Address Group to add member click on member, it will show address in right
side of window then select the address from address table which will be added as member in
address Group.

12
 7.3 To edit existing Address Group
Policy & Object > Addresses>Group (Select the group) >Edit

8. Services
In Fortinet terminology, a Custom Service is a user defined service that has not already been
created. A service can be thought of as a Traffic type and will include the service protocol
type, TCP, UDP or ICMP for example, as well as the logical destination ports.

13
8.1 To create the port services
Policy & Object > Services>Create New>Service

8.2 To create the service Group

Policy & Object > Services>Create New>Service Group

14
 8.3 Select the service member to add the services

9. Firewall Policy
A firewall acts as a filter between your network and the outside world by scanning all network
traffic and deciding what is allowed in or out. Firewalls are a well-known part of network
security and in the last few years most operating systems include one as part of the system.
Personal computer firewalls are usually fairly straightforward, as you can pretty much turn it
on and let it do its thing.

Things get a bit complicated when a single box, like a FortiGate, is used to manage multiple
network devices, especially if you want to restrict some traffic sources while allowing
others. This is where firewall policies, also called security policies, come into play on
FortiGate.

A FortiGate firewall operate on the basic idea that only traffic that is expressly permitted is
allowed to come in and out of the network. That’s why all FortiGate start out with a default
deny policy that cannot be deleted, which is used as a catch-all for traffic that is not
specifically set up as allowed. Most FortiGate also have a default policy that allows traffic
from the LAN to the Internet.

List of Policies configured in Firewall will be maintained separately in word/excel document

and will be updated as and when changes are done in the rules/policies.

15
9.1 To create policy
Policy & Object > IPV4 Policy >Create New

16
 9.2 Enable Security blades
Policy & Object > IPV4 Policy >Security Profile>IPS (Enable)

10. SSL (Secure Socket Layer)

SSL VPNs establish connectivity using SSL, which functions at Levels 4 - 5 (Transport and
Session layers). Information is encapsulated at Levels 6 - 7 (Presentation and Application
layers), and SSL VPNs communicate at the highest levels in the OSI model. SSL is not
strictly a Virtual Private Network (VPN) technology that allows clients to connect to remote
networks in a secure way. A VPN is a secure logical network created from physically
separate networks. VPNs use encryption and other security methods to ensure that only
authorized users can access the network. VPNs also ensure that the data transmitted
between computers cannot be intercepted by unauthorized users. When data is encoded
and transmitted over the Internet, the data is said to be sent through a “VPN tunnel”. A VPN
tunnel is a non-application oriented tunnel that allows the users and networks to exchange
a wide range of traffic regardless of application or protocol.

SSL (Secure Sockets Layer) as HTTPS is supported by most web browsers for exchanging
sensitive information securely between a web server and a client. SSL establishes an
encrypted link, ensuring that all data passed between the web server and the browser
remains private and secure. SSL protection is initiated automatically when a user (client)
connects to a web server that is SSL enabled. Once the successful connection is
established, the browser encrypts all the information before it leaves the computer. When
the information reaches its destination, it is decrypted using a secret (private) key. Any data
sent back is first encrypted and is decrypted when it reaches the client.

17
 10.1 SSL VPN modes of operation

When a remote client connects to the FortiGate unit, the FortiGate unit authenticates the
user based on username, password, and authentication domain. A successful login
determines the access rights of remote users according to user group. The user group
settings specify whether the connection will operate in web-only mode or tunnel mode.

10.2 Web-only mode

Web-only mode provides remote users with a fast and efficient way to access server
applications from any thin client computer equipped with a web browser. Web-only mode
offers true clientless network access using any web browser that has built-in SSL encryption
and the Sun Java Runtime Environment.

In web-only mode, the FortiGate unit acts as a secure HTTP/HTTPS gateway and
authenticates remote users as members of a user group. After successful authentication,
the FortiGate unit redirects the web browser to the web portal home page and the user can
access the server applications behind the FortiGate unit. When the FortiGate unit provides
services in web-only mode, a secure connection between the remote client and the
FortiGate unit is established through the SSL VPN security in the FortiGate unit and the SSL
security in the web browser. After the connection has been established, the FortiGate unit
provides access to selected services and network resources through a web portal.

VPN Web-only/tunnel Mode, supported operating systems and web browsers In KRCL AD
server is integrated with firewall ,SSL user request will handle by AD for SSL User
authentication .We have import user groups from AD to have better access control for users

18
10.3 Portal configuration

19
 10.4 SSL VPN setting

Assigned the SSL VPN client Ip address, DNS server details and user group access

20
 11. LDAP integration

12. Firewall Users

13. IPS

Intrusion Prevention System (IPS) technology protects your network from cybercriminal
attacks by actively seeking and blocking external threats before they can reach potentially
vulnerable network devices.

FortiOS’s Intrusion Prevention System (IPS) technology protects your network against
attacks by looking for and blocking network-level threats before they can reach your
potentially vulnerable network devices. FortiOS offers a wide range of tools to monitor, block
and analyze malicious activity, including: IPS signatures, filters and sensors, quarantines,
packet logging, out of band sniffer mode and options for hardware acceleration. FortiOS IPS
supports both IPv4 and IPv6 traffic, as well as SSL inspection of encrypted traffic.

14. Static and Dynamic NAT

Static NAT:

In Static NAT one internal IP address is always mapped to the same public IP address.

In FortiGate firewall configurations this is most commonly done with the use of Virtual IP
addressing.

21
When using a Virtual IP address set the external IP address of 200.200.100.100 to map to
10.0.10.100. This means that any traffic being sent to the public address of 200.200.100.100
will be directed to the internal computer at the address of 10.0.10.100.

When using a Virtual IP address, this will have the added function that whenever traffic
goes from 10.0.10.100 to the Internet it will appear to the recipient of that traffic at the other
end as coming from 200.200.100.100.

Dynamic NAT:

Dynamic NAT maps the private IP addresses to the first available Public Address from a
pool of possible Addresses. In the FortiGate firewall this can be done by using IP Pools.

Overloading

This is a form of Dynamic NAT that maps multiple private IP address to a single Public IP
address but differentiates them by using a different port assignment. This is probably the
most widely used version of NAT. This is also referred to as PAT (Port Address Translation)
or Masquerading.

As mentioned before this is sometimes called Port Address Translation because network
device uses TCP ports to determine which internal IP address is associated with each
session through the network device. For example, if a network with internal addresses
ranging from 192.168.1.1 to 192.168.1.255 and we have 5 computers all trying to connect to
a web site which is normally listening on port 80 all of them will appear to the remote web
site to have the IP address of 256.16.32.65 but they will each have a different sending TCP
port, with the port numbers being somewhere between 1 and 65 535, although the port
numbers between 1 to 1024 are usually reserved or already in use. So it could be
something like the following:
22
 192.168.1.10 256.16.32.65: port 486
192.168.1.23 256.16.32.65: port 2409
192.168.1.56 256.16.32.65: port 53763
192.168.1.109 256.16.32.65: port 5548
192.168.1.201 256.16.32.65: port 4396

And the remote web server would send the responding traffic back based on those port
numbers so the network device would be able to sort through the incoming traffic and pass it
on to the correct computer.

15. Monitoring

Forti Analyzer

FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single
system, delivering increased knowledge of security events throughout network. The
FortiAnalyzer family minimizes the effort required to monitor and maintain acceptable use
policies, as well as identify attack patterns to help fine-tune policies. Organizations of any
size will benefit from centralized security event logging, forensic research, reporting, content
archiving, data mining and malicious file quarantining.
FortiAnalyzer offers enterprise class features to identify threats, while providing the flexibility
to evolve along with your ever-changing network. FortiAnalyzer can generate highly
customized reports for business requirements, while aggregating logs in a hierarchical,
tiered logging topology.

FortiAnalyzer can be deployed physical or virtual appliances to collect, correlate, and

analyze geographically and chronologically diverse security data. Aggregate alerts and log
information from Fortinet appliances and third-party devices in a single location, providing a
simplified, consolidated view of security posture. In addition, FortiAnalyzer platforms provide
detailed data capture for forensic purposes to comply with policies regarding privacy and
disclosure of information security breaches.

23
Key Features & Benefits

Fortinet offers the FortiAnalyzer VM in a stackable license model based on GB logs per day
and storage add-ons. This model allows you to expand VM solution as environment
expands. When configuring FortiAnalyzer VM

Fort iView — Powerful Network Visibility

o Customizable interactive dashboard to rapidly pinpoint and resolve problems
o Intuitive summary views of network traffic, threats, applications and many more
o Granular views of wireless users, rouge access points and
endpoint vulnerabilities
o Visualization with graphical bubble charts, and a geographical Threat Map
o Drill-down to follow the trail of an attacker, trace transactions and gain
new insights

24
FortiGuard Indicators of Compromise — Automated Correlation Engine
o Scans FortiGate security logs to identify suspicious traffic patterns
o Automated breach defense system that continuously monitors your network for attacks
o Presents a prioritized list of hosts which are compromised and required further action
o OC improves security posture and helps safeguard organizations through
accurate Detection of advanced threats.

25
System Settings Dashboard

Network Profile

Device Manager

Reports

26
Log View

16. Exceptions
Requests for exceptions to this standard will be reviewed and approved or denied on a
case- by-case basis according to the Firewall Policy and Standard

27
17. Annexure

Annexure A
Annexure A
Request Date :
Application Details
for which rule / policy
to be set:

Application Server
Details for which rule
/ policy to be set:

Policy/rule to be set
in FW (External or
Internal)

28
Annexure B
Annexure B
Request Date :
Application Details :

Application Server :

Policy / rule set in

FW :

Policy/rule is tested
and its status.

Request of
Reporting Officer :

Approved By :

Policy/Rule No. in
FW added / Modified
/ Deleted in Internal
or External Firewall
IT System In-Charge
Signature with Date
System Team and
Service Provider

29