#TRUSTED 0954c4f265b136c218caf8e4aa6922e9d1b1f314cdf1a536655401cce2beb7853a3e366d475277ba379be3664f39d6efaf06b884ffe0ec0d1df4d2c3287476a4cfb2900303e1b07a2b1d4eb20ca2a687ba4630bf861a92a812c8a9a30a2bc250b48a3e77e2e445405f1d4ef524a7f27268d7138fbabc048fc08ccf4085533712a63cb8b97947ff8948e3e06aa3be3ceff717fb52d556cf62434fdcf909ece4e36912efdc827dd6f294edde9b89ea1c81baea2c519c1cfb360b0c248e4d61918bf29e60207d6787a5ccd0d88e772c42bd77f3c94cb20ac4e2d4ed2173cb342835d67546428055c4574dd0540cf819b116612c7d4cffb6f96c71c32efc911ae394ec2bdaa8d76c98d05d8842aa56c901b26d64d265da8285447004069973e57868f70ce53a6d32fdcd5a455f42698b33376871328a107a723058d8247667d0b5af5dfd7959225b3b531ce2211f7a6fce014f062c2119b103e153446d31e4dd862018cee19ed28ff3cbcc23450fa8f79d360df2d926d177a70a4304ea4c5ab9ea602c8cd86151658b3d3205b2c2a576c3947c11b4974d733f0105f621fa347d96f41ef869f0a36bb39b8f2f1f19b034582b7b69a266169159a079e3884637bc65c0a8a1d9436aa226aa498bb4fe01d01a1dbb0312fb5e23b154bfda77fdbde252de413f613b4afd28d0dc8d93ccb8d349a5351c8e125150e34056e8ca803561eab4
#TRUST-RSA-SHA256 447ff5170c20b0f4b56ba83eb8ff420c7c5446799cd838406c6aed41d2f551c406d1750c4cb6e3e9b5043547a1839902f294c6de5cc9b897cb1a3b93e7c74e66266ee5a0768e815b416235b10fdf466259fb358519e8366e5ecca1c7c3d1a1363c0c0526be0912ec487149668a90706ce30de8b50116e2ab8ea92088458e838c2a62a0f6a887771bdc4329114b11174a526528b303ce55a08e6f8237a45729c37aa60487666996d1c12333c9a72fd88c389642bb042821f797dd53b1c89d947c899f49195f3fd2fdd0861a9f52dbd825e47def8ddfec3b1cfeaeaa3a91a6dc1695cf4d80d11551cb5c03baff34b1c9706614527c238073aa3ddb496a0bcb500117c6c209a1ba4434c4a08b03ef667fee113e7056844b45214a364011df8ba871aa319b6481d702d5b920e842e94a4ab7726d760f2614ed415f1607f4fd417c8aea3981e3b42ae53888c542d82790e7df4a53ef12d84fe604d5f84ae0cf4034dd6481890739b1eab3e6c3ed56b42927428a04b0717a970c02e51fd70dddc091fd5c2876cf3c76c499ac7aad2c4bd2da7c403bb99cb5a414e8f1365ca0115f0723e0b41e4266b4490232efac0bb9ab11be9620383160f89dea929853c9808ee39ec8676b726d44b373c60537a9e1a7c2cf1004beea6424da18c13f096810fa1e63fa17a3a0613cea224ff4d3c33ecc2e4c39d4d1fc8ad19288a3c9ead7a0d4f95c
#
# This script is Copyright (C) 2004-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision: 1.0 $
# $Date: 2023/06/27 $
#
# Description : This document implements the security configuration as recommended by the
# CIS Fortigate Benchmark v1.1.0
#
#
#CIS Fortigate Level 1 v1.1.0
#
# CIS
# CIS Fortigate Level 1
# 1.1.0
# https://workbench.cisecurity.org/benchmarks/10730
#
#fortigate,cis,update_20230227
#CCE,CSCv6,CSCv7,CSCv8,LEVEL
#
#
# DNS_SERVER_1
# 10.0.0.1
# DNS Server 1
# This is the IP address of the 1st DNS server utilized by your organization.
# STRING
#
#
# DNS_SERVER_2
# 10.0.0.2
# DNS Server 2
# This is the IP address of the 2nd DNS server utilized by your organization.
# STRING
#
#
# NTP_SERVER_1
# 10.0.0.3
# NTP Server 1
# This is the IP address of the 1st NTP server utilized by your organization.
# STRING
#
#
# NTP_SERVER_2
# 10.0.0.4
# NTP Server 2
# This is the IP address of the 2nd NTP server utilized by your organization.
# STRING
#
#
# WAN_PORT
# wan1
# WAN Port
# The WAN Port used for public connections
# STRING
#
#
#
#Note - IRS Safeguards Methodology Team Removed Automated Test Cases for 1.1, 1.3, 2.1.4 as they are going to differ between agencies. The test method is manual.
description : "1.2 Ensure intra-zone traffic is not always allowed"
info : "This is to make sure that only specific, authorized traffic are allowed between networks in the same zone.
Rationale:
This adds an extra layer of protection between different networks"
solution : "In this example, we'll turn of intra-zone traffic in the zone DMZ.
In CLI:
FGT1 # config system zone
FGT1 (zone) # edit DMZ
FGT1 (DMZ) # set intrazone deny
FGT1 (DMZ) # end
FGT1 #
In the GUI, click on Network -> Interfaces, select the zone and click on 'Edit' and turn on 'Block intra-zone traffic'
Default Value:
By default, intra-zone traffic is blocked"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|2.10,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1M,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system zone"
expect : "set[\s]+intrazone[\s]+deny"
description : "2.1.1 Ensure 'Pre-Login Banner' is set - enable"
info : "Configure a pre-login banner, ideally approved by the organization's legal team. This banner should, at minimum, prohibit unauthorized access, provide notice of logging or monitoring, and avoid using the word 'welcome' or similar words of invitation.
Rationale:
Through a properly stated login banner, the risk of unintentional access to the device by unauthorized users is reduced. Should legal action take place against a person accessing the device without authorization, the login banner greatly diminishes a defendant's claim of ignorance.
Impact:
Login banners provide a definitive warning to any possible intruders that may want to access the FortiGate that certain types of activity are illegal, but at the same time, it also advises the authorized and legitimate users of their obligations relating to acceptable use."
solution : "Run the following command in the CLI to enable the pre-login-banner:
FG1 # config system global
FG1 (global) # set pre-login-banner enable
FG1 (global) # end
FG1 #
In the GUI, to edit the content of the pre-login disclaimer message:
go to 'System' -> 'Replacement Messages' -> 'Extended View' -> 'Pre-login Disclaimer Message'. The edit screen is on the bottom right corner of the page. Click on 'Save' after the editing is done.
Default Value:
the 'Pre-Login Banner' is disabled by default
FG1 # config system global
FG1 (global) # show
config system global
...
set pre-login-banner disable
...
end
the warning message default value is as follows:
PRE WARNING:
This is a private computer system. Unauthorized access or use
is prohibited and subject to prosecution and/or disciplinary
action. All use of this system constitutes consent to
monitoring at all times and users are not entitled to any
expectation of privacy. If monitoring reveals possible evidence
of violation of criminal statutes, this evidence and any other
related information, including identification information about
the user, may be provided to law enforcement officials.
If monitoring reveals violations of security regulations or
unauthorized use, employees who violate security regulations or
make unauthorized use of this system are subject to appropriate
disciplinary action."
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|5.1,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system global"
expect : "set[\s]+pre-login-banner[\s]+enable"
description : "2.1.1 Ensure 'Pre-Login Banner' is set - warning message"
info : "Configure a pre-login banner, ideally approved by the organization's legal team. This banner should, at minimum, prohibit unauthorized access, provide notice of logging or monitoring, and avoid using the word 'welcome' or similar words of invitation.
Rationale:
Through a properly stated login banner, the risk of unintentional access to the device by unauthorized users is reduced. Should legal action take place against a person accessing the device without authorization, the login banner greatly diminishes a defendant's claim of ignorance.
Impact:
Login banners provide a definitive warning to any possible intruders that may want to access the FortiGate that certain types of activity are illegal, but at the same time, it also advises the authorized and legitimate users of their obligations relating to acceptable use.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Run the following command in the CLI to enable the pre-login-banner:
FG1 # config system global
FG1 (global) # set pre-login-banner enable
FG1 (global) # end
FG1 #
In the GUI, to edit the content of the pre-login disclaimer message:
go to 'System' -> 'Replacement Messages' -> 'Extended View' -> 'Pre-login Disclaimer Message'. The edit screen is on the bottom right corner of the page. Click on 'Save' after the editing is done.
Default Value:
the 'Pre-Login Banner' is disabled by default
FG1 # config system global
FG1 (global) # show
config system global
...
set pre-login-banner disable
...
end
the warning message default value is as follows:
PRE WARNING:
This is a private computer system. Unauthorized access or use
is prohibited and subject to prosecution and/or disciplinary
action. All use of this system constitutes consent to
monitoring at all times and users are not entitled to any
expectation of privacy. If monitoring reveals possible evidence
of violation of criminal statutes, this evidence and any other
related information, including identification information about
the user, may be provided to law enforcement officials.
If monitoring reveals violations of security regulations or
unauthorized use, employees who violate security regulations or
make unauthorized use of this system are subject to appropriate
disciplinary action."
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|5.1,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
description : "2.1.2 Ensure 'Post-Login-Banner' is set - enable"
info : "Sets the banner after users successfully login. This is equivalent to Message of the Day (MOTD) in some other systems.
Rationale:
Network banners are electronic messages that provide notice of legal rights to users of computer networks. From a legal standpoint, banners have four primary functions.
First, banners may be used to generate consent to real-time monitoring under Title III. Second, banners may be used to generate consent to the retrieval of stored files and records pursuant to ECPA. Third, in the case of government networks, banners may eliminate any Fourth Amendment 'reasonable expectation of privacy' that government employees or other users might otherwise retain in their use of the government's network under O'Connor v.
Impact:
When post-login banner is enabled, some automated-script might be affected because both CLI and GUI need an acceptance action (press 'A' or 'Accept') to continue."
solution : "Run the following command in the CLI to enable the post-login-banner:
FG1 # config system global
FG1 (global) # set post-login-banner enable
FG1 (global) # end
FG1 #
In the GUI, to edit the content of the post-login disclaimer message, go to
System -> Replace Messages -> Extended View -> 'Post-login Disclaimer Message'. The edit screen is on the bottom right corner of the page. Click on 'Save' after the editing is done.
Default Value:
POST WARNING: This is a private computer system. Unauthorized access or use is prohibited and subject to prosecution and/or disciplinary action. All use of this system constitutes consent to monitoring at all times and users are not entitled to any expectation of privacy. If monitoring reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of this system are subject to appropriate disciplinary action.
%%LAST_SUCCESSFUL_LOGIN%% %%LAST_FAILED_LOGIN%%"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|11.1,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system global"
expect : "set[\s]+post-login-banner[\s]+enable"
description : "2.1.2 Ensure 'Post-Login-Banner' is set - warning message"
info : "Sets the banner after users successfully login. This is equivalent to Message of the Day (MOTD) in some other systems.
Rationale:
Network banners are electronic messages that provide notice of legal rights to users of computer networks. From a legal standpoint, banners have four primary functions.
First, banners may be used to generate consent to real-time monitoring under Title III. Second, banners may be used to generate consent to the retrieval of stored files and records pursuant to ECPA. Third, in the case of government networks, banners may eliminate any Fourth Amendment 'reasonable expectation of privacy' that government employees or other users might otherwise retain in their use of the government's network under O'Connor v.
Impact:
When post-login banner is enabled, some automated-script might be affected because both CLI and GUI need an acceptance action (press 'A' or 'Accept') to continue.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Run the following command in the CLI to enable the post-login-banner:
FG1 # config system global
FG1 (global) # set post-login-banner enable
FG1 (global) # end
FG1 #
In the GUI, to edit the content of the post-login disclaimer message, go to
System -> Replace Messages -> Extended View -> 'Post-login Disclaimer Message'. The edit screen is on the bottom right corner of the page. Click on 'Save' after the editing is done.
Default Value:
POST WARNING: This is a private computer system. Unauthorized access or use is prohibited and subject to prosecution and/or disciplinary action. All use of this system constitutes consent to monitoring at all times and users are not entitled to any expectation of privacy. If monitoring reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of this system are subject to appropriate disciplinary action.
%%LAST_SUCCESSFUL_LOGIN%% %%LAST_FAILED_LOGIN%%"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|11.1,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
description : "2.1.3 Ensure timezone is properly configured"
info : "Sets the local time zone information so that the time displayed by the device is more relevant to those who are viewing it.
Rationale:
Having a correct time set on the device is important for two main reasons. The first reason is that digital certificates compare this time to the range defined by their Valid From and Valid To fields to define a specific validity period. The second reason is to have relevant time stamps when logging information. Whether you are sending messages to a Syslog server, sending messages to an SNMP monitoring station, or performing packet captures, timestamps have little usefulness if you cannot be certain of their accuracy.
Impact:
For many features to work, including scheduling, logging, and SSL-dependent features, the FortiOS system time must be accurate."
solution : "In this example, we will set Eastern Timezone (GMT-5:00) for the Fortigate. Each timezone will have its corresponding ID. To find the correct ID, when you type in the command 'set timezone ', also type the question mark '?' to list all of the available timezones and their IDs. The ID of the Eastern Timezone is 12
In the CLI:
FGT1 # config system global
FGT1 (global) # set timezone 12
FGT1 (global) # end
FGT1 #
In the GUI, do the following:
1) after login to fortigate, go to 'System' -> 'Settings'
2) select '(GMT-5:00) Eastern Time (US & Canada)' under 'System Time'
Default Value:
Default value is (GMT-8:00) Pacific Time (US & Canada)"
reference : "800-171|3.3.6,800-171|3.3.7,800-53|AU-7,800-53|AU-8,800-53r5|AU-7,800-53r5|AU-8,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(b),CSCv7|6.1,CSCv8|8.4,CSF|PR.PT-1,CSF|RS.AN-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-7,ITSG-33|AU-8,LEVEL|1M,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|37.4"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system global"
expect : "set[\s]+timezone[\s]+[^ ]+"
description : "2.1.5 Ensure hostname is set"
info : "Changes the device default hostname.
Rationale:
The device hostname plays an important role in asset inventory and identification as a security requirement, but also in the public keys and certificate deployments as well as when correlating logs from different systems during an incident handling."
solution : "In CLI, set the hostname to 'New_FGT1' as follows:
FGT1 # config system global
FGT1 (global) # set hostname 'New_FGT1'
FGT1 (global) # end
New_FGT1 #
or In GUI, go to 'System' -> 'Settings', update the field 'Hostname' with the new hostname, and click 'Apply'
Default Value:
The default value of the hostname is the model number of the unit. Example: 'FortiGate 2000E'"
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|5.1,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system global"
expect : "set[\s]+hostname[\s]+[^ ]+"
description : "2.2.1 Ensure 'Password Policy' is enabled - status"
info : "It is important to use secure and complex passwords for preventing unauthorized access to the FortiGate device.
Rationale:
Attackers can use Brute force password software to launch more than just dictionary attacks. such Attacks can discover common passwords where a letter is replaced by a number or symbol.
Impact:
Weak passwords can be easily discovered by hackers which leads to unauthorized access to FortiGate and depends on the access privilege of the compromised account the attacker may modify the settings."
solution : "can be modified from CLI or GUI
From CLI, do the following:
config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 8
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end
or From GUI, do the following
1) log in to FortiGate as Super Admin
2) Go to 'System' -> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off', change it to 'Both'
5) set 'Minimum length' to '8'
6) Enable 'Character requirements'
7) set minimum '1' in the filed of 'Upper Case', 'Lower Case', 'Numbers (0-9)' and 'Special'
8) Disable 'Allow password reuse'
9) Enable 'Password expiration' and set it to 90
Default Value:
By Default, Password Policy is disabled, can be checked from CLI as follows:
config system password-policy
set status disable
end
Or from GUI as follows:
1) log in to FortiGate as Super Admin
2) Go to 'System '-> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off'"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system password-policy$"
expect : "set[\s]+status[\s]+enable"
description : "2.2.1 Ensure 'Password Policy' is enabled - apply-to"
info : "It is important to use secure and complex passwords for preventing unauthorized access to the FortiGate device.
Rationale:
Attackers can use Brute force password software to launch more than just dictionary attacks. such Attacks can discover common passwords where a letter is replaced by a number or symbol.
Impact:
Weak passwords can be easily discovered by hackers which leads to unauthorized access to FortiGate and depends on the access privilege of the compromised account the attacker may modify the settings."
solution : "can be modified from CLI or GUI
From CLI, do the following:
config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 8
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end
or From GUI, do the following
1) log in to FortiGate as Super Admin
2) Go to 'System' -> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off', change it to 'Both'
5) set 'Minimum length' to '8'
6) Enable 'Character requirements'
7) set minimum '1' in the filed of 'Upper Case', 'Lower Case', 'Numbers (0-9)' and 'Special'
8) Disable 'Allow password reuse'
9) Enable 'Password expiration' and set it to 90
Default Value:
By Default, Password Policy is disabled, can be checked from CLI as follows:
config system password-policy
set status disable
end
Or from GUI as follows:
1) log in to FortiGate as Super Admin
2) Go to 'System '-> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off'"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system password-policy$"
expect : "set[\s]+apply-to[\s]+(?=.*admin-password)?(?=.*ipsec-preshared-key)?"
description : "2.2.1 Ensure 'Password Policy' is enabled - minimum-length"
info : "It is important to use secure and complex passwords for preventing unauthorized access to the FortiGate device.
Rationale:
Attackers can use Brute force password software to launch more than just dictionary attacks. such Attacks can discover common passwords where a letter is replaced by a number or symbol.
Impact:
Weak passwords can be easily discovered by hackers which leads to unauthorized access to FortiGate and depends on the access privilege of the compromised account the attacker may modify the settings."
solution : "can be modified from CLI or GUI
From CLI, do the following:
config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 8
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end
or From GUI, do the following
1) log in to FortiGate as Super Admin
2) Go to 'System' -> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off', change it to 'Both'
5) set 'Minimum length' to '8'
6) Enable 'Character requirements'
7) set minimum '1' in the filed of 'Upper Case', 'Lower Case', 'Numbers (0-9)' and 'Special'
8) Disable 'Allow password reuse'
9) Enable 'Password expiration' and set it to 90
Default Value:
By Default, Password Policy is disabled, can be checked from CLI as follows:
config system password-policy
set status disable
end
Or from GUI as follows:
1) log in to FortiGate as Super Admin
2) Go to 'System '-> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off'"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system password-policy$"
expect : "set[\s]+minimum-length[\s]+(1[4-9]|[2-9][0-9])$"
description : "2.2.1 Ensure 'Password Policy' is enabled - min-lower-case-letter"
info : "It is important to use secure and complex passwords for preventing unuthorized access to the FortiGate device.
Rationale:
Attackers can use Brute force password software to launch more than just dictionary attacks. such Attacks can discover common passwords where a letter is replaced by a number or symbol.
Impact:
Weak passwords can be easily discovered by hackers which leads to unauthorized access to FortiGate and depends on the access privilege of the compromised account the attacker may modify the settings."
solution : "can be modified from CLI or GUI
From CLI, do the following:
config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 8
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end
or From GUI, do the following
1) log in to FortiGate as Super Admin
2) Go to 'System' -> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off', change it to 'Both'
5) set 'Minimum length' to '8'
6) Enable 'Character requirements'
7) set minimum '1' in the filed of 'Upper Case', 'Lower Case', 'Numbers (0-9)' and 'Special'
8) Disable 'Allow password reuse'
9) Enable 'Password expiration' and set it to 90
Default Value:
By Default, Password Policy is disabled, can be checked from CLI as follows:
config system password-policy
set status disable
end
Or from GUI as follows:
1) log in to FortiGate as Super Admin
2) Go to 'System '-> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off'"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system password-policy$"
expect : "set[\s]+min-lower-case-letter[\s]+1$"
description : "2.2.1 Ensure 'Password Policy' is enabled - min-upper-case-letter"
info : "It is important to use secure and complex passwords for preventing unauthorized access to the FortiGate device.
Rationale:
Attackers can use Brute force password software to launch more than just dictionary attacks. such Attacks can discover common passwords where a letter is replaced by a number or symbol.
Impact:
Weak passwords can be easily discovered by hackers which leads to unauthorized access to FortiGate and depends on the access privilege of the compromised account the attacker may modify the settings."
solution : "can be modified from CLI or GUI
From CLI, do the following:
config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 8
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end
or From GUI, do the following
1) log in to FortiGate as Super Admin
2) Go to 'System' -> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off', change it to 'Both'
5) set 'Minimum length' to '8'
6) Enable 'Character requirements'
7) set minimum '1' in the filed of 'Upper Case', 'Lower Case', 'Numbers (0-9)' and 'Special'
8) Disable 'Allow password reuse'
9) Enable 'Password expiration' and set it to 90
Default Value:
By Default, Password Policy is disabled, can be checked from CLI as follows:
config system password-policy
set status disable
end
Or from GUI as follows:
1) log in to FortiGate as Super Admin
2) Go to 'System '-> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off'"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system password-policy$"
expect : "set[\s]+min-upper-case-letter[\s]+1$"
description : "2.2.1 Ensure 'Password Policy' is enabled - min-non-alphanumeric"
info : "It is important to use secure and complex passwords for preventing unauthorized access to the FortiGate device.
Rationale:
Attackers can use Brute force password software to launch more than just dictionary attacks. such Attacks can discover common passwords where a letter is replaced by a number or symbol.
Impact:
Weak passwords can be easily discovered by hackers which leads to unauthorized access to FortiGate and depends on the access privilege of the compromised account the attacker may modify the settings."
solution : "can be modified from CLI or GUI
From CLI, do the following:
config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 8
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end
or From GUI, do the following
1) log in to FortiGate as Super Admin
2) Go to 'System' -> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off', change it to 'Both'
5) set 'Minimum length' to '8'
6) Enable 'Character requirements'
7) set minimum '1' in the filed of 'Upper Case', 'Lower Case', 'Numbers (0-9)' and 'Special'
8) Disable 'Allow password reuse'
9) Enable 'Password expiration' and set it to 90
Default Value:
By Default, Password Policy is disabled, can be checked from CLI as follows:
config system password-policy
set status disable
end
Or from GUI as follows:
1) log in to FortiGate as Super Admin
2) Go to 'System '-> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off'"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system password-policy$"
expect : "set[\s]+min-non-alphanumeric[\s]+1$"
description : "2.2.1 Ensure 'Password Policy' is enabled - min-number"
info : "It is important to use secure and complex passwords for preventing unauthorized access to the FortiGate device.
Rationale:
Attackers can use Brute force password software to launch more than just dictionary attacks. such Attacks can discover common passwords where a letter is replaced by a number or symbol.
Impact:
Weak passwords can be easily discovered by hackers which leads to unauthorized access to FortiGate and depends on the access privilege of the compromised account the attacker may modify the settings."
solution : "can be modified from CLI or GUI
From CLI, do the following:
config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 8
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end
or From GUI, do the following
1) log in to FortiGate as Super Admin
2) Go to 'System' -> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off', change it to 'Both'
5) set 'Minimum length' to '8'
6) Enable 'Character requirements'
7) set minimum '1' in the filed of 'Upper Case', 'Lower Case', 'Numbers (0-9)' and 'Special'
8) Disable 'Allow password reuse'
9) Enable 'Password expiration' and set it to 90
Default Value:
By Default, Password Policy is disabled, can be checked from CLI as follows:
config system password-policy
set status disable
end
Or from GUI as follows:
1) log in to FortiGate as Super Admin
2) Go to 'System '-> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off'"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system password-policy$"
expect : "set[\s]+min-number[\s]+1$"
description : "2.2.1 Ensure 'Password Policy' is enabled - expire-status"
info : "It is important to use secure and complex passwords for preventing unauthorized access to the FortiGate device.
Rationale:
Attackers can use Brute force password software to launch more than just dictionary attacks. such Attacks can discover common passwords where a letter is replaced by a number or symbol.
Impact:
Weak passwords can be easily discovered by hackers which leads to unauthorized access to FortiGate and depends on the access privilege of the compromised account the attacker may modify the settings."
solution : "can be modified from CLI or GUI
From CLI, do the following:
config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 8
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end
or From GUI, do the following
1) log in to FortiGate as Super Admin
2) Go to 'System' -> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off', change it to 'Both'
5) set 'Minimum length' to '8'
6) Enable 'Character requirements'
7) set minimum '1' in the filed of 'Upper Case', 'Lower Case', 'Numbers (0-9)' and 'Special'
8) Disable 'Allow password reuse'
9) Enable 'Password expiration' and set it to 90
Default Value:
By Default, Password Policy is disabled, can be checked from CLI as follows:
config system password-policy
set status disable
end
Or from GUI as follows:
1) log in to FortiGate as Super Admin
2) Go to 'System '-> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off'"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system password-policy$"
expect : "set[\s]+expire-status[\s]+enable"
description : "2.2.1 Ensure 'Password Policy' is enabled - expire-day"
info : "It is important to use secure and complex passwords for preventing unauthorized access to the FortiGate device.
Rationale:
Attackers can use Brute force password software to launch more than just dictionary attacks. such Attacks can discover common passwords where a letter is replaced by a number or symbol.
Impact:
Weak passwords can be easily discovered by hackers which leads to unauthorized access to FortiGate and depends on the access privilege of the compromised account the attacker may modify the settings."
solution : "can be modified from CLI or GUI
From CLI, do the following:
config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 8
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end
or From GUI, do the following
1) log in to FortiGate as Super Admin
2) Go to 'System' -> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off', change it to 'Both'
5) set 'Minimum length' to '8'
6) Enable 'Character requirements'
7) set minimum '1' in the filed of 'Upper Case', 'Lower Case', 'Numbers (0-9)' and 'Special'
8) Disable 'Allow password reuse'
9) Enable 'Password expiration' and set it to 90
Default Value:
By Default, Password Policy is disabled, can be checked from CLI as follows:
config system password-policy
set status disable
end
Or from GUI as follows:
1) log in to FortiGate as Super Admin
2) Go to 'System '-> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off'"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system password-policy$"
expect : "set[\s]+expire-day[\s]+([1-9]|[1-8][0-9]|90)$"
description : "2.2.1 Ensure 'Password Policy' is enabled - reuse-password"
info : "It is important to use secure and complex passwords for preventing unauthorized access to the FortiGate device.
Rationale:
Attackers can use Brute force password software to launch more than just dictionary attacks. such Attacks can discover common passwords where a letter is replaced by a number or symbol.
Impact:
Weak passwords can be easily discovered by hackers which leads to unauthorized access to FortiGate and depends on the access privilege of the compromised account the attacker may modify the settings."
solution : "can be modified from CLI or GUI
From CLI, do the following:
config system password-policy
set status enable
set apply-to admin-password ipsec-preshared-key
set minimum-length 8
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 90
set reuse-password disable
end
or From GUI, do the following
1) log in to FortiGate as Super Admin
2) Go to 'System' -> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off', change it to 'Both'
5) set 'Minimum length' to '8'
6) Enable 'Character requirements'
7) set minimum '1' in the filed of 'Upper Case', 'Lower Case', 'Numbers (0-9)' and 'Special'
8) Disable 'Allow password reuse'
9) Enable 'Password expiration' and set it to 90
Default Value:
By Default, Password Policy is disabled, can be checked from CLI as follows:
config system password-policy
set status disable
end
Or from GUI as follows:
1) log in to FortiGate as Super Admin
2) Go to 'System '-> 'Settings'
3) find the 'password Policy' Section
4) Default 'Password scope' is 'Off'"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system password-policy$"
expect : "set[\s]+reuse-password[\s]+disable"
description : "2.2.2 Ensure administrator password retries and lockout time are configured - admin-lockout-threshold"
info : "Failed login attempts can indicate malicious attempts to gain access to your network. To prevent this security risk, FortiGate is preconfigured to limit the number of failed administrator login attempts. After the maximum number of failed login attempts is reached, access to the account is blocked for the configured lockout period.
Rationale:
When you login and fail to enter the correct password you could be a valid user, or a hacker attempting to gain access. For this reason, best practices dictate to limit the number of failed attempts to login before a lockout period where you cannot login for a certain period of time. lockout period will minimize the hacker attempts to gain access to firewall.
Impact:
Attackers will keep attempting to access the device through brute force attacks without any interruption which may lead to a successful login."
solution : "To configure the lockout options, from CLI:
config system global
set admin-lockout-threshold 3
set admin-lockout-duration 60
end
Default Value:
By default, the number of password retry attempts is set to three, allowing the administrator a maximum of three attempts at logging in to their account before they are locked out for a set amount of time (by default, 60 seconds).
To configure the lockout options, from CLI:
config system global
set admin-lockout-threshold 3
set admin-lockout-duration 60
end"
reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.3,CSCv8|5.4,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system global"
expect : "set[\s]+admin-lockout-threshold[\s]+[1-3]$"
description : "2.2.2 Ensure administrator password retries and lockout time are configured - admin-lockout-duration"
info : "Failed login attempts can indicate malicious attempts to gain access to your network. To prevent this security risk, FortiGate is preconfigured to limit the number of failed administrator login attempts. After the maximum number of failed login attempts is reached, access to the account is blocked for the configured lockout period.
Rationale:
When you login and fail to enter the correct password you could be a valid user, or a hacker attempting to gain access. For this reason, best practices dictate to limit the number of failed attempts to login before a lockout period where you cannot login for a certain period of time. lockout period will minimize the hacker attempts to gain access to firewall.
Impact:
Attackers will keep attempting to access the device through brute force attacks without any interruption which may lead to a successful login."
solution : "To configure the lockout options, from CLI:
config system global
set admin-lockout-threshold 3
set admin-lockout-duration 60
end
Default Value:
By default, the number of password retry attempts is set to three, allowing the administrator a maximum of three attempts at logging in to their account before they are locked out for a set amount of time (by default, 60 seconds).
To configure the lockout options, from CLI:
config system global
set admin-lockout-threshold 3
set admin-lockout-duration 60
end"
reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.3,CSCv8|5.4,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system global"
expect : "set[\s]+admin-lockout-duration[\s]+120$"
description : "2.3.1 Ensure SNMP agent is disabled"
info : "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.
Rationale:
The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to use only SNMPv3.
Impact:
SNMP servers will not be able to query the Fortigate devices that have SNMP agents disabled."
solution : "On the CLI, run the following command to disable the agent
FGT1 # config system snmp sysinfo
FGT1 (sysinfo) # set status disable
FGT1 (sysinfo) # end
On the GUI, select System -> SNMP, disable SNMP agent
Default Value:
SNMP agent is disabled by default."
reference : "800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-53|CM-1,800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53|SA-3,800-53|SA-8,800-53|SA-10,800-53r5|CM-1,800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,800-53r5|SA-3,800-53r5|SA-8,800-53r5|SA-10,CSCv7|5.1,CSCv8|4.1,CSF|DE.AE-1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-3,CSF|PR.PT-3,GDPR|32.1.b,GDPR|32.4,HIPAA|164.306(a)(1),ITSG-33|CM-1,ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,ITSG-33|SA-3,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SA-10,LEVEL|1A,NESA|M1.2.2,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.2.1,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NESA|T7.6.5,NIAv2|GS8b,NIAv2|SS3,NIAv2|SS15a,NIAv2|SS16,NIAv2|VL2,NIAv2|VL7a,NIAv2|VL7b,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|7.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system snmp sysinfo"
expect : "set[\s]+status[\s]+disable"
description : "2.4.1 Ensure default 'admin' password is changed"
info : "Before deploying any new FortiGate, it is important to change the password of the default admin account.
It is also recommended that you change even the user name of the default admin account; however, since you cannot change the user name of an account that is currently in use, a second administrator account must be created in order to do this.
Rationale:
Default credentials are well documented by most vendors including Fortinet. Therefore, it will be one of the first things that will be tried to illegally gain access to the system.
Impact:
if not changed, then any scripts that use default credentials will be able to access the system.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "In the CLI, to change the password of account 'admin'
FG1 # config system admin
FG1 (admin) # edit 'admin'
FG1 (admin) # set password
FG1 (admin) # end
FG1 #
To change the default password in the GUI:
1) Login to FortiGate with admin account
2) Go to System > Administrators.
3) Edit the admin account.
4) Click Change Password.
5) If applicable, enter the current password in the Old Password field.
6) Enter a password in the New Password field, then enter it again in the Confirm Password field.
7) Click OK.
Default Value:
By default, your FortiGate has an administrator account set up with the username admin and no password. In order to prevent unauthorized access to FortiGate, it is highly recommended that you add a password to this account.
Username: admin The default admin account does not have any password. Just leave it blank"
reference : "800-171|3.5.2,800-53|IA-5,800-53r5|IA-5,CSCv7|4.2,CSCv8|4.7,CSF|PR.AC-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5,LEVEL|1M,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
description : "2.4.2 Ensure all the login accounts having specific trusted hosts enabled"
info : "Configure an administrative account to be accessible only to someone who is using a trusted host. You can set a specific IP address for the trusted host or use a subnet.
Rationale:
Access to a firewall to perform administrative tasks should only come from specific network segments reserved for administrators only. This additional layer of security ensure that no one from anywhere else on the network able to login even with correct credentials.
Impact:
All access, from legitimate or illegitimate users, outside of allowed segment will be stopped. Thus, administrators working remotely will have to make sure that they have access to jump hosts that sit in the allowed segment.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "To remove a trusted host item from the list in CLI
FG1 # config system admin
FG1 (admin) # edit 'test_admin'
FG1 (test_admin) # unset trusthost1
FG1 (test_admin) # end
FG1 #
To add a trusted host into the list in CLI
FG1 # config system admin
FG1 (admin) # edit 'test_admin'
FG1 (test_admin) # set trusthost6 1.1.1.1 255.255.255.255
FG1 (test_admin) # end
FG1 #
Before adding an item, please make sure that it does not already exist. For example, if trusthost3 is already in the list, using it again will over-ride the existing host/network.
In the web GUI, go to
System -> Administrators, select the account and click on edit. In the account setting page, make sure that 'Restrict login to trusted hosts' are enabled and all the allowed hosts / subnets are in the list of trusted Host. Please take note that certain versions of FortiOS will only show the first 3 trusted hosts in the list. If you want to see more, you have to click on the '+' sign as if you're adding a new item into the list. Keep clicking until you see an empty field of trusted host. That's when you know that you have reached the bottom of the list. To add another trusted host, fill in the empty field of the new 'Trusted Host'. To remove a trusted host, simply erase everything in the field of that corresponding host.
Default Value:
By default, each account is accessible from everywhere , the host value is 0.0.0.0/0"
reference : "800-171|3.1.5,800-171|3.1.6,800-171|3.1.14,800-53|AC-6(2),800-53|AC-6(5),800-53|AC-17(3),800-53|SI-7,800-53r5|AC-6(2),800-53r5|AC-6(5),800-53r5|AC-17(3),800-53r5|SI-7,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.4(c),CN-L3|8.1.10.6(a),CN-L3|8.1.10.6(i),CSCv7|4.6,CSCv7|11.6,CSCv7|11.7,CSCv8|5.4,CSCv8|12.8,CSF|PR.AC-3,CSF|PR.AC-4,CSF|PR.DS-6,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(c)(1),HIPAA|164.312(c)(2),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),ITSG-33|AC-17(3),ITSG-33|SI-7,ITSG-33|SI-7a.,LEVEL|1M,NESA|T3.4.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.6,NESA|T5.6.1,NESA|T7.3.2,NESA|T7.3.3,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv3.2.1|10.5.5,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|2.3,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system admin"
expect : "set[\s]+trusthost[0-9]+[\s]+[0-9.]+[\s]+[0-9.]+"
severity : MEDIUM
description : "2.4.3 Ensure admin accounts with different privileges having their correct profiles assigned"
info : "Verify that users with access to the Fortinet should only have the minimum privileges required for that particular user.
Rationale:
In some organizations, there are needs to create different levels of administrative accounts. For example, technicians from tier 1 support should not have total access to the system as compared with a tier 3 support.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "In this example, I would like to provide the profile 'tier_1' the ability to view and modify address objects. This sub-privilege is under fwgrp privilege.
In CLI
FGT1 # config system accprofile
FGT1 (accprofile) # edit 'tier_1'
FGT1 (tier_1) # set fwgrp custom
FGT1 (tier_1) # config fwgrp-permission
FGT1 (fwgrp-permission) # set address read-write
FGT1 (fwgrp-permission) # end
FGT1 (tier_1) # end
FGT1 #
For the GUI, go to
System -> Admin Profiles, select 'tier_1' and click 'Edit'. On 'Firewall', click on 'Custom' and then click on 'Read/Write' option for 'Address'.
In the next example, I would like to assign the profile 'tier_1' to the account 'support1'.
In the CLI
FGT1 # config system admin
FGT1 (admin) # edit 'support1'
FGT1 (support1) # set accprofile 'tier_1'
FGT1 (support1) # end
FGT1 #
For the GUI, go to
System -> Administrators, select 'support1' and click 'Edit'. Under 'Administrator Profile', select 'tier_1'.
Default Value:
By default, there are only 2 profiles: prof_admin and super_admin. You have to select a profile to create an admin account, the system will not automatically choose for you."
reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.3,CSCv8|5.4,CSF|PR.AC-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1M,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
description : "2.4.4 Ensure idle timeout time is configured"
info : "The idle timeout period is the amount of time that an administrator will stay logged in to the GUI without any activity.
Rationale:
Best practice dictates settings admin idle timeout to prevent the risk of unauthorized access to the device by preventing someone from using a logged-in GUI on a PC that has been left unattended.
Impact:
This is to prevent someone from accessing the FortiGate if the management PC is left unattended."
solution : "To change the idle timeout in the GUI:
1) Login to FortiGate with Super Admin privileges
2) Go to 'System' > 'Settings'.
3) In the 'Administration Settings' section, set the 'Idle timeout' value to five minutes by typing 5.
4) Click Apply.
To change the idle timeout in the CLI:
config system global
set admintimeout 5
end
Default Value:
By default, it is set to five minutes."
reference : "800-171|3.1.16,800-171|3.1.17,800-171|3.4.1,800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|AC-18,800-53|AC-18(1),800-53|AC-18(3),800-53|CM-2,800-53|CM-6,800-53|CM-7,800-53|CM-7(1),800-53|CM-9,800-53r5|AC-18,800-53r5|AC-18(1),800-53r5|AC-18(3),800-53r5|CM-2,800-53r5|CM-6,800-53r5|CM-7,800-53r5|CM-7(1),800-53r5|CM-9,CSCv7|11.1,CSCv8|4.2,CSF|DE.AE-1,CSF|PR.DS-7,CSF|PR.IP-1,CSF|PR.PT-3,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ITSG-33|AC-18,ITSG-33|AC-18(1),ITSG-33|AC-18(3),ITSG-33|CM-2,ITSG-33|CM-6,ITSG-33|CM-7,ITSG-33|CM-7(1),ITSG-33|CM-9,LEVEL|1A,NESA|T1.2.1,NESA|T1.2.2,NESA|T3.2.5,NESA|T5.4.2,NESA|T7.5.1,NESA|T7.5.3,NESA|T7.6.1,NESA|T7.6.2,NESA|T7.6.3,NIAv2|NS33,NIAv2|NS34,NIAv2|NS38,NIAv2|SS15a,NIAv2|SS16,PCI-DSSv3.2.1|2.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system global"
expect : "set[\s]+admintimeout[\s]+([1-9]|1[0-5]+)$"
description : "2.4.5 Ensure only encrypted access channels are enabled"
info : "Allow only HTTPS access to the GUI and SSH access to the CLI
Rationale:
By only allowing encrypted access, we are making it harder to use 'Man in the Middle' attack to sniff login credentials."
solution : "If HTTP or Telnet is in the allowaccess list, you will have to set that list again with the same elements except for http or telnet
FG1 # config system interface
FG1 (interface) # edit port1
FG1 (port1) # set allowaccess ssh https ping snmp
FG1 (port1) # end
FG1 #
In the web GUI, click on
Network -> Interfaces, select the interface and click 'Edit'. In the interface setting page, uncheck HTTP and Telnet in the section 'Administrative Access'.
Default Value:
By default, HTTP and Telnet are not enabled on any interface."
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|4.5,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8(1),ITSG-33|SC-8a.,LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system interface"
not_expect : "set[\s]+allowaccess[\s]+(?=.*http)(?=.*telnet)"
description : "2.4.6 Apply Local-in Policies"
info : "Configure Local-in Policies to control inbound traffic that is destined to a FortiGate interface.
Rationale:
Local-in Policies allow for more granular and specific control of all types of traffic that are destined for a FortiGate interface. They are not limited to management only protocols so they can extend past 'trusted host' configurations and can be configured with source and destination addresses as well as services specifically.
Impact:
Local-in Policies are processed before 'trusted host' configurations so it is important to validate that management access will be maintained once the Local-in policies are put in place.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Local-in Policies can only be configured through the CLI:
config firewall {local-in-policy | local-in-policy6}
edit
set intf
set srcaddr [source_address] ...
set dstaddr [destination_address] ...
set action {accept | deny}
set service [service_name] ...
set schedule
set comments
next
end
For example, to prevent the source subnet 10.10.10.0/24 from pinging port1, but allow administrative access for PING on port1:
config firewall address
edit '10.10.10.0'
set subnet 10.10.10.0 255.255.255.0
next
end
config firewall local-in-policy
edit 1
set intf 'port1'
set srcaddr '10.10.10.0'
set dstaddr 'all'
set service 'PING'
set schedule 'always'
next
end
Default Value:
There are no Local-in Policies in place by default"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1M,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
context : "config firewall local-in-policy"
regex : ".*"
expect : "Manual Review Required"
severity : MEDIUM
description : "2.5.2 Ensure 'Monitor Interfaces' for High Availability Devices is Enabled - Monitor Interfaces for High Availability Devices is Enabled"
info : "Configure Interface Monitoring within High Availability settings, Interface Monitoring should be enabled on all critical interfaces.
Rationale:
With Interface Monitoring enabled on devices failover can occur if there are physical media issues or issues with the specific port that the FortiGate is connected to.
Impact:
Not configuring Interface Monitoring can directly impact services due to a failure to trigger a High Availability failover if an interface is impacted only on the primary device and it is not being monitored. Without the Interface monitoring enabled failover would be limited to hardware, system, or power faults."
solution : "To Remediate from GUI:
go to System - > HA
Under 'Monitor Interfaces' select all applicable interfaces.
select 'OK'
To Validate from CLI:
FGT1 # config system ha
FGT1 (ha) # set monitor 'port6' 'port7'
FGT1 (ha) # show ###To Review changes to monitored interfaces before applying
config system ha
set group-name 'FGT-HA'
set mode a-p
set password ENC enrwD467hJmO6j6YW/l6FEOa1YNVYdo8Z5mCcTDEKUFpOVXcNYnPBmQDGX//ViXk6TkwNH0il5aJr/fZY25lq+husndQHZVWp2LIlXmCv/n81U43nkZUWaIKvqkellGFbhv0/IHoOLzQPCsVcBbyrsgoprYMvh6w7F06+nRriBtMNQxpiTE+12xAHz7lA3EoYZzf8A==
set override disable
set monitor 'port6' 'port7'
end
Default Value:
N/A"
reference : "800-53|SI-13(5),800-53r5|SI-13(5),GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SI-13(5),LEVEL|1A,TBA-FIISB|39.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system ha"
expect : "set[\s]+.+"
description : "2.5.3 Ensure HA Reserved Management Interface is Configured"
info : "Ensure Reserved Management Interfaces are configured on HA devices
Rationale:
To be able to access both the primary and secondary firewalls in an HA cluster Reserved Management Interfaces need to be configured to prevent them from syncing with HA and sharing a virtual MAC address
Impact:
Not configuring reserved Management Interfaces impacts the ability to access secondary devices directly due to the primary and secondary devices syncing configuration exactly and floating a virtualized mac address between them for failover"
solution : "Remediate through the GUI:
go to System -> HA edit the 'Master' device and enable 'Management Interface Reservation' once this is enabled select an an interface, and configure the appropriate gateway.
Remediate through the CLI:
FGT1 #config system ha
FGT1 (ha) # set ha-mgmt-status enable
FGT1 (ha) # config ha-mgmt-interfaces
FGT1 (ha-mgmt-interfaces) # edit 1
new entry '1' added
FGT1 (1) # set interface port6
FGT1 (1) # set gateway 10.10.10.1
FGT1 (1) # end
FGT1 (ha) # show
config system ha
set group-name 'FGT-HA'
set mode a-p
set password ENC enrwD467hJmO6j6YW/l6FEOa1YNVYdo8Z5mCcTDEKUFpOVXcNYnPBmQDGX//ViXk6TkwNH0il5aJr/fZY25lq+husndQHZVWp2LIlXmCv/n81U43nkZUWaIKvqkellGFbhv0/IHoOLzQPCsVcBbyrsgoprYMvh6w7F06+nRriBtMNQxpiTE+12xAHz7lA3EoYZzf8A==
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface 'port6'
set gateway 10.10.10.1
next
end
set override disable
end
FGT1 (ha) # end
Default Value:
N/A"
reference : "800-53|SI-13(5),800-53r5|SI-13(5),GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SI-13(5),LEVEL|1M,LEVEL|2M,TBA-FIISB|39.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config system ha"
expect : "set[\s]+interface[\s]+.+"
description : "3.2 Ensure that policies do not use 'ALL' as Service - ALL as Service"
info : "We want to make sure that all security policies in effect clearly state which protocols / services they are allowing.
Rationale:
This is to make sure that the firewall do not allow traffic with unauthorized protocols/services by mistakes."
solution : "In this example, we will modify policy with ID of 2 to change the service from 'ALL' to FTP and SNMP
In CLI:
FGT1 # config firewall policy
FGT1 (policy) # edit 2
FGT1 (2) # set service 'FTP' 'SNMP'
FGT1 (2) # end
FGT1 #
In the GUI,
click on Policy & Objects -> IPv4 Policy. Select the policy, click 'Edit'. In the Service section, click on it and select FTP and SNMP. Click OK
Default Value:
By default, all new policy will have 'ALL' in its service field."
reference : "800-171|3.14.6,800-171|3.14.7,800-53|SI-4,800-53r5|SI-4,CN-L3|7.1.3.5(a),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CSCv7|9.2,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.DS-5,CSF|PR.IP-8,CSF|RS.AN-1,CSF|RS.CO-3,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|SI-4,LEVEL|1A,NESA|M1.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"
context : "config firewall property"
context : "edit .+"
not_expect : "set[\s]+service[\s]+ALL"
description : "3.5 Ensure firewall policy denying all traffic to/from Tor or malicious server IP addresses using ISDB"
info : "Firewall policies should include a deny rule for traffic going to/from Tor or malicious server using ISDB (Internet Service Database).
Rationale:
FortiGate includes Tor or malicious server related IP address using ISDB. The idea is to filter out malicious traffics using firewall policies as first level filtering. This is done without involving more resource intensive process such as IPS inspection, hence optimizing FortiGate's performance."
solution : "Review firewall policies and ensure there are:
A firewall policy created to block inbound connections with these settings:
From: Any
To: Any
Source: 'Tor-Exit.Node', 'Tor-Relay.Node', and 'Malicious-Malicious.Server'
Destination: all
Schedule: Always
Services: All
Action: Deny
Log Violation Traffic: Enabled
Enable this policy: Enabled
A firewall policy created to block outbound connections with these settings:
From: Any
To: Any
Source: All
Destination: 'Tor-Relay.Node' and 'Malicious-Malicious.Server'
Schedule: Always
Action: Deny
Log Violation Traffic: Enabled
Enable this policy: Enabled"
reference : "800-171|3.13.1,800-53|SC-7(12),800-53r5|SC-7(12),CN-L3|8.1.10.6(j),CSF|DE.CM-1,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(12),LEVEL|1M,NESA|T4.5.4,NIAv2|AM38,NIAv2|SS13d,NIAv2|SS26,PCI-DSSv3.2.1|1.4,PCI-DSSv4.0|1.5.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
context : "config firewall policy"
regex : "set internet-service-(src-)?name"
expect : "(\"Malicious-Malicious.Server\"|\"Tor-(Exit|Relay).Node\")"
min_occurrences : "2"
description : "3.6 Ensure logging is enabled on all firewall policies"
info : "Logging should be enabled for all firewall policies including the default implicit deny policy.
Rationale:
Firewall policies should log for all traffic (both allow and deny policies). This enables SOC or security analyst to do further investigations on security incidents especially on threat hunting or incident response activities. Although there are many data sources that can provide DNS query logs (AD or EDR), but this option should be enabled out of best practice and with assumption that no other data sources is available.
Impact:
By default, when creating firewall policies, logging option is not enabled. Also, the default implicit deny policy is not logged. This creates data gap in threat hunting or incident response activities."
solution : "Review firewall policies and ensure that:
For allowed policies, 'Log Allowed Traffic' is set on 'All Sessions' option
For denied policies, 'Log Violation Traffic' is enabled.
Default Value:
Disabled"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,800-53r5|AU-12c.,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1M,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
context : "config firewall policy"
context : "edit .+"
regex : "set logtraffic[\s]"
expect : "all"
description : "4.3.2 Ensure DNS Filter logs all DNS queries and responses"
info : "DNS filter should log all DNS queries and responses.
Rationale:
DNS filter should log all DNS queries and responses (whether if the DNS category is blocked, monitored, or allowed). This enables SOC or security analyst to do further investigations on security incidents especially on threat hunting or incident response activities. Although there are many data sources that can provide DNS query logs (AD or EDR), but this option should be enabled out of best practice and with assumption that no other data sources is available.
Impact:
By default, allowed DNS is not logged. This creates data gap in threat hunting or incident response activities."
solution : "Review DNS Filter Security Profiles and validate that 'Log all DNS queries and responses' is enabled.
Default Value:
Disabled"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,800-53r5|AU-12c.,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1M,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
context : "config dnsfilter profile"
regex : "set log-all-domain"
expect : "set log-all-domain enable"
description : "4.4.1 Block high risk categories on Application Control"
info : "Ensure FortiGate Application Control blocks high risk application to reduce attack surface.
Rationale:
High risk applications such as those in 'P2P' and 'Proxy' are known for spreading malwares. Other than that, some of these traffic is encrypted and therefore is able to bypass network security inspection (for those without decryption implemented). Blocking these applications from running eliminates this risk.
If any application that falls under 'P2P' and 'Proxy' requires to be allowed based on organization's policy, that specific application needs to be under 'Monitor' mode in the 'Application and Filter Override' configuration."
solution : "Review Application Control Security Profiles and validate that 'P2P' and 'Proxy' category is blocked.
Default Value:
Disabled on default profile"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSF|DE.CM-4,CSF|DE.DP-3,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1M,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
context : "config application list"
context : "edit .+"
regex : "set category"
expect : "set category 2.*\s6\s?"
description : "4.4.3 Ensure all Application Control related traffic are logged"
info : "Ensure no category is set to 'Allow' on FortiGate Application Control.
Rationale:
Any category that is set as 'Allow' on Application Control will not be logged. This creates visibility gap on security investigation. This includes 'Unknown Applications' category.
Impact:
Visibility gap, affects incident forensics and response."
solution : "Review Application Control Security Profiles and validate that no 'Allow' action is set on any categories.
Default Value:
'Unknown Applications category is set as 'Allow'"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-12c.,800-53r5|AU-12c.,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CN-L3|8.1.3.5(a),CN-L3|8.1.3.5(b),CN-L3|8.1.4.3(a),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12c.,LEVEL|1M,NESA|T3.6.2,NESA|T3.6.5,NESA|T3.6.6,NIAv2|SM8,PCI-DSSv3.2.1|10.1,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1"
context : "config application list"
context : "edit \".+\""
context : "config entries"
context : "edit [0-9]+"
not_expect : "set action pass"
description : "5.1.1 Enable Compromised Host Quarantine"
info : "Default automation trigger configuration for when a high severity compromised host is detected.
Rationale:
By enabling this feature you protect your environment against compromised hosts. Default automation stitch to quarantine a high severity compromised host on FortiAPs, FortiSwitches, and FortiClient EMS.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "GUI
Security Fabric>Automation
Edit and change Disabled to Enabled
CLI
config system automation-action
edit 'Quarantine on FortiSwitch + FortiAP'
set description 'Default automation action configuration for quarantining a MAC address on FortiSwitches and FortiAPs.'
set action-type quarantine
next
edit 'Quarantine FortiClient EMS Endpoint'
set description 'Default automation action configuration for quarantining a FortiClient EMS endpoint device.'
set action-type quarantine-forticlient
next
end
config system automation-trigger
edit 'Compromised Host - High'
set description 'Default automation trigger configuration for when a high severity compromised host is detected.'
next
end
config system automation-stitch
edit 'Compromised Host Quarantine'
set description 'Default automation stitch to quarantine a high severity compromised host on FortiAPs, FortiSwitches, and FortiClient EMS.'
set status disable
set trigger 'Compromised Host - High'
config actions
edit 1
set action 'Quarantine on FortiSwitch + FortiAP'
next
edit 2
set action 'Quarantine FortiClient EMS Endpoint'
next
end
next
end
Default Value:
Not enabled"
reference : "800-171|3.13.2,800-171|3.13.5,800-53|SC-7(20),800-53r5|SC-7(20),CN-L3|8.1.10.6(j),CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.3,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/10730"