Fortigate Compliance 40 mr3 PDF

Certifications and Compliances
FortiOS Handbook v3
for FortiOS 4.0 MR3
FortiOS Handbook Certifications and Compliances
v3
16 December 2011
01-433-129720-20111216
Copyright 2011 Fortinet, Inc. All rights reserved. Contents and terms are subject to
change by Fortinet without prior notice. Reproduction or transmission of this publication
is encouraged.
Trademarks
The names of actual companies and products mentioned herein may be the trademarks
of their respective owners.
Visit these links for more information and documentation for your Fortinet products:
Fortinet Knowledge Base - http://kb.fortinet.com
Technical Documentation - http://docs.fortinet.com
Training Services - http://campus.training.fortinet.com
Technical Support - http://support.fortinet.com
You can report errors or omissions in this or any Fortinet technical document to
techdoc@fortinet.com.
For t i OS Ha ndbook
FortiOS Handbook v3: Certifications and Compliances
01-433-129720-20111216 3
http://docs.fortinet.com/
Contents
Introduction 7
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
FIPS-CC operation of FortiGate units 9
Introduction to FIPS-CC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Security level summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Overview of Common Criteria compliant operation . . . . . . . . . . . . . . . . . . 10
Use of non-FIPS-CC compliant features. . . . . . . . . . . . . . . . . . . . . . 10
Effects of FIPS-CC compliant mode . . . . . . . . . . . . . . . . . . . . . . . . 10
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Initial configuration of the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . 13
Installing the unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configuration of units with AMC/FMC modules . . . . . . . . . . . . . . . . . . 13
Downloading and installing FIPS-CC compliant firmware . . . . . . . . . . . . . 13
Installing the FIPS-CC firmware . . . . . . . . . . . . . . . . . . . . . . . . 14
Verifying the firmware version of the unit . . . . . . . . . . . . . . . . . . . . . 14
A note about non FIPS-CC functionality . . . . . . . . . . . . . . . . . . . . . . 14
Access Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Memory log size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Enabling FIPS-CC mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Configuring interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Re-enabling NPU support . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
FIPS-CC mode status indicators. . . . . . . . . . . . . . . . . . . . . . . . . . 16
Self-test settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Running self-tests manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
User guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Remote access requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Setting minimum DH primes size . . . . . . . . . . . . . . . . . . . . . . . 17
Enabling administrative access . . . . . . . . . . . . . . . . . . . . . . . . 17
SSH client requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Contents
Certifications and Compliances for FortiOS 4.0 MR3
4 01-433-129720-20111216
Web browser requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Disclaimer access banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Modifying the disclaimer text . . . . . . . . . . . . . . . . . . . . . . . . . 18
Administrator account lockout settings . . . . . . . . . . . . . . . . . . . . . . 18
Scheduled administrator access . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Using custom administrator access keys (certificates) . . . . . . . . . . . . . . 19
Importing the custom RSA key . . . . . . . . . . . . . . . . . . . . . . . . 19
Enabling the custom RSA key . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configuration backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Firewall authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
User account lockout settings . . . . . . . . . . . . . . . . . . . . . . . . . 20
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Logging to external devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Required logging settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Excluding specific logs (selective audit) . . . . . . . . . . . . . . . . . . . . . . 23
Viewing log messages from the web-based manager . . . . . . . . . . . . . . . 23
Viewing log messages from the CLI . . . . . . . . . . . . . . . . . . . . . . . . 24
Setting filtering for log messages . . . . . . . . . . . . . . . . . . . . . . . 24
Sorting log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Viewing log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Resetting log filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Backing up log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Backing up log messages using the web-based manager . . . . . . . . . . 25
Viewing log file information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Deleting filtered log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Deleting rolled log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configuring alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Alarm CLI configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Alarm notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Acknowledging alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Alarm polling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Error modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
FIPS Error mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
CC Error mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Disabling FIPS-CC mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configuring FortiGate units for PCI DSS compliance 31
Introduction to PCI DSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
What is PCI DSS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
What is the Customer Data Environment . . . . . . . . . . . . . . . . . . . . . 31
PCI DSS objectives and requirements . . . . . . . . . . . . . . . . . . . . . . . 31
Contents
01-433-129720-20111216 5
Wireless guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Network topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
The CDE wired LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
The CDE wireless LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Other internal networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Security policies for the CDE network . . . . . . . . . . . . . . . . . . . . . . . . . 36
Controlling the source and destination of traffic . . . . . . . . . . . . . . . . . . 36
Controlling the types of traffic in the CDE . . . . . . . . . . . . . . . . . . . . . 37
The default deny policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Wireless network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Scanning for rogue access points . . . . . . . . . . . . . . . . . . . . . . . . . 37
Automatic detection of rogue APs. . . . . . . . . . . . . . . . . . . . . . . 38
Viewing the results of rogue AP scanning . . . . . . . . . . . . . . . . . . . 38
Logging the results of rogue AP scanning. . . . . . . . . . . . . . . . . . . 38
Securing a CDE network WAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Setting wireless security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Logging wireless network activity . . . . . . . . . . . . . . . . . . . . . . . 39
Protecting stored cardholder data . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Protecting communicated cardholder data . . . . . . . . . . . . . . . . . . . . . . 39
Configuring IPsec VPN security . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Configuring SSL VPN security . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Protecting the CDE network from viruses . . . . . . . . . . . . . . . . . . . . . . . 40
Enabling FortiGate antivirus protection . . . . . . . . . . . . . . . . . . . . . . 40
Configuring antivirus updates . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Enforcing firewall use on endpoint PCs . . . . . . . . . . . . . . . . . . . . . . 41
Monitoring the network for vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . 41
Using the FortiOS Network Vulnerability Scan feature. . . . . . . . . . . . . . . 41
Monitoring with other Fortinet products . . . . . . . . . . . . . . . . . . . . . . 41
FortiAnalyzer network vulnerability scan. . . . . . . . . . . . . . . . . . . . 42
Fortinet Database Security (FortiDB) . . . . . . . . . . . . . . . . . . . . . 42
FortiScan Vulnerability and Compliance Management platform . . . . . . . 42
FortiWeb Web Application Security . . . . . . . . . . . . . . . . . . . . . . 42
Restricting access to cardholder data . . . . . . . . . . . . . . . . . . . . . . . . . 42
Controlling access to the CDE network . . . . . . . . . . . . . . . . . . . . . . . . 42
Password complexity and change requirements . . . . . . . . . . . . . . . . . 42
Password non-reuse requirement . . . . . . . . . . . . . . . . . . . . . . . . . 43
Administrator lockout requirement . . . . . . . . . . . . . . . . . . . . . . . . . 43
Administrator timeout requirement. . . . . . . . . . . . . . . . . . . . . . . . . 44
Administrator access security . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Remote access security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Contents
6 01-433-129720-20111216
SSL VPN users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
IPsec VPN users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Appendix 45
Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
IPv4 IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Example Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Tips, must reads, and troubleshooting. . . . . . . . . . . . . . . . . . . . . . . 47
Typographical conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Training Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Technical Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . . 48
Customer service and support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . . 48
01-433-129720-20111216 7
Introduction
Welcome and thank you for selecting Fortinet products for your network protection. This
document discusses issues related to certifications and compliances, specifically Federal
Information Processing Standards (FIPS), Common Criteria (CC), and Payment Card
Industry Data Security Standard (PCI DSS).
This chapter contains the following topics:
Before you begin
How this guide is organized
Before you begin
Before you begin using this guide, please ensure that:
You have administrative access to the web-based manager and/or CLI.
The FortiGate unit is integrated into your network.
The operation mode has been configured.
The system time, DNS settings, administrator password, and network interfaces have
been configured.
Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed.
FortiGuard Analysis & Management Service is properly configured.
While using the instructions in this guide, note that administrators are assumed to be
super_admin administrators unless otherwise specified. Some restrictions will apply to
other administrators.
How this guide is organized
This FortiOS Handbook chapter contains the following sections:
FIPS-CC operation of FortiGate units describes how to install and use special FortiOS
firmware builds certified to either Federal Information Processing Standards (FIPS) or
Common Criteria (CC) requirements.
Configuring FortiGate units for PCI DSS compliance explains the Payment Card Industry
Data Security Standard (PCI DSS). It provides information about configuring your network
and FortiGate unit to help you comply with PCI DSS requirements.
Appendix contains documentation conventions, information about using the CLI, and
customer support information.
How this guide is organized Introduction
8 01-433-129720-20111216
01-433-129720-20111216 9
FIPS-CC operation of FortiGate
units
Fortinet produces special FortiOS firmware builds that are compliant with U.S. Federal
Information Processing Standards (FIPS), Common Criteria (CC) security requirements,
or both. These are enhanced security options for some FortiGate Unified Threat
Management System models.
This section describes how to install these special builds on a FortiGate Unified Threat
Management System and how to operate the unit in the FIPS-CC compliant mode. It
provides information about features that differ from the standard firmware for your
FortiGate unit. Installation of FIPS-CC certified firmware is required only if the unit was
not ordered with this firmware pre-installed.
At the publication date of this document, the latest FIPS certified systems use firmware
based on FortiOS version 4.0 and the latest Common Criteria certified systems use
firmware based on FortiOS version 3.0 MR4.
This document is intended to be used by a system administrator.
This chapter contains the following sections:
Introduction to FIPS-CC
Overview of Common Criteria compliant operation
Initial configuration of the FortiGate unit
Administration
Firewall
Logging
Alarms
Error modes
Disabling FIPS-CC mode
Introduction to FIPS-CC
Security level summary
Fortinet performs Common Criteria certifications on specific FortiOS versions in
combination with specific FortiGate models. Fortinet performs FIPS 140-2 certifications
on specific FortiOS versions in combination with specific FortiGate models (FIPS 140-2
Level 2 certification) and on FortiOS independent of the FortiGate hardware (FIPS 140-2
Level 1 certification). Information on Common Criteria certification is found in the relevant
Security Target. Information on FIPS 140-2 certification is found in the relevant Security
Policy. These documents are available on the Fortinet Support web site from the same
directory where you download the firmware.
Overview of Common Criteria compliant operation FIPS-CC operation of FortiGate units
10 01-433-129720-20111216
Documentation
The documentation for FortiGate units operated in FIPS-CC mode consists of this
document and the standard FortiGate unit documentation set for the version of FortiOS
that the FIPS-CC build is based on. This documentation is available from the Fortinet
Technical Documentation web site at http://docs.forticare.com.
Overview of Common Criteria compliant operation
Common Criteria compliant operation requires both that you use the FortiGate Unified
Threat Management System in its FIPS-CC mode and that you follow secure procedures
for installation and operation of the FortiGate unit. You must ensure that:
The FortiGate unit is installed in a secure physical location.
Physical access to the FortiGate unit is restricted to authorized operators.
Strong password policies are enabled by default.
Administration of the FortiGate unit is permitted using only certified administrative
methods. These are:
console connection
web-based manager via HTTPS
command line interface (CLI) access via SSH
The FortiGate unit can be used in either of its two operation modes: NAT/Route or
Transparent. NAT/Route mode applies security features between two or more different
networks (for example, between a private network and the Internet). Transparent
mode applies security features at any point in a network. The current operation mode
is displayed on the web-based manager Status page and in the output of the get
system status CLI command. Also, on -equipped units, Transparent mode is
indicated by FIPS-CC-TP and NAT/Route by FIPS-CC-NAT on the display.
Use of non-FIPS-CC compliant features
FIPS-CC mode does not prevent you from using non-FIPS-CC compliant features that
are not permanently disabled.If you use these features, however, you are not operating
the FortiGate unit in strict FIPS-CC compliance according to the Security Target or
Security Policy.
Effects of FIPS-CC compliant mode
The following list describes, not necessarily in order, the effects of enabling FIPS-CC
mode with respect to the normal mode of operation.
Interfaces
Immediately after switching to FIPS-CC mode, all network interfaces are down and
have no IP address assigned. Configure interfaces as needed.
By default, admin access (except for ping access) is disabled and must be enabled on
a per-interface basis.
Network interfaces cannot be configured for HTTP or Telnet administrative access.
NPU support is disabled by default, but can be re enabled.
Some FortiGate models have grouped interfaces that by default operate as a switch
with a single IP address. Optionally, these interfaces can be configured as individual
interfaces, each with its own IP address. FIPS-CC supports both configurations.
FIPS-CC operation of FortiGate units Overview of Common Criteria compliant operation
01-433-129720-20111216 11
Administration
Administrative access via HTTPS or SSH requires strong cryptography: AES or 3DES
encryption with SHA1 digest. DES encryption and MD5 digest are not available.
By default, after three failed attempts to log on to an administrator account, the
account is locked out for one hour. You can change the number of attempts permitted
and the length of the lockout. See Administrator account lockout settings on
page 18.
Optionally, you can limit administrator access to scheduled times. See Scheduled
administrator access on page 19.
On a CLI session, when an administrator logs out or the session times out, the
FortiGate unit sends 300 carriage return characters to clear the screen. Note: if your
terminal buffer is large, not all information from the session is cleared.
The USB auto install options are disabled.
The control panel keys cannot be used to modify the FortiGate unit configuration.
The FortiGate unit front panel displays FIPS-CC- followed by the operation mode,
NAT or TP. You might have to press an panel key to deactivate the screen saver
and view this display.
The get system status CLI command display includes FIPS-CC mode: enable.
By default, all administrators must accept a disclaimer statement at logon. This
disclaimer can be disabled or modified. See Disclaimer access banner on page 18.
When configuring passwords or keys, the FortiGate unit requires you to enter the
password or key a second time as confirmation.
Configuration backups use 3DES encryption with a HMAC-SHA1 checksum and a
user-defined password. FIPS-CC mode backup files are not valid in non-FIPS-CC
mode and vice-versa.
The FortiGate unit performs self-tests at startup, when cryptographic keys are
generated, and on a recurring basis. If any of these tests fail, the unit goes into FIPS
Error mode and shuts down. The self-tests cannot be disabled, except by leaving
FIPS-CC mode. Also, the administrator can run self-tests at any time. See Running
self-tests manually on page 16.
TFTP communication is insecure and is disabled by default. In non-FIPS-CC
operation TFTP can be used to back up or restore the configuration remotely. In FIPS-
CC mode, you should use a USB drive for this purpose. TFTP can be re-enabled using
the tftp keyword in the config system global CLI command, but this is not
FIPS-CC compliant operation.
Remote access clients must meet security requirements. See Remote access
requirements on page 17.
There is an alarm capability. See Alarms on page 26.
USB auto-install options are disabled.
The fnsysctl command, which provides some access to the underlying operating
system, is not available.
Virus attack reporting to FortiGuard Distribution Service (FDS) is disabled.
Overview of Common Criteria compliant operation FIPS-CC operation of FortiGate units
12 01-433-129720-20111216
HA
In HA mode, HA heartbeat data is exchanged using AES encryption and SHA1
authentication. The key is automatically generated, but can overridden by setting the
key field to a new 16-byte hexadecimal value, like this:
config system ha
set key fdoa0803e0157d4e
end
FortiOS will require the key value to be entered again to confirm it.
Routing
Immediately after switching to FIPS-CC mode, no DNS addresses are configured.
Immediately after switching to FIPS-CC mode, no default route is configured.
Logging
Logging is enabled by default for:
new security policies
interfaces where administrative access is enabled
attempts to gain administration access on network interfaces where administrative
access is not enabled
failed connection attempts to the FortiGate unit using TCP/IP ports other than 22
(ssh), 23 (telnet), 80 (HTTP), and 443 (HTTPS).
all configuration changes
configuration failures
remote IP lockout due to reaching maximum number of failed login attempts
log viewing
interface going up or down
other traffic: dropped ICMP packets, dropped invalid IP packets, session start and
session deletion
Logging is enabled for all event types at debug severity level.
Memory logging is enabled on units that do not contain a hard disk. Logging includes
traffic logging and all event types.
Traffic logging to memory is available only in FIPS-CC mode.
Reaching 95% of the log storage capacity results in the FortiGate unit entering an
error mode that shuts down all of the interfaces until the administrator intervenes.
Firewall
Immediately after switching to FIPS-CC mode, all security policies are removed.
Newly-created security policies have Log allowed traffic enabled by default.
Newly-created security policies are disabled and must be explicitly enabled.
Blocking of spoofed TCP RST packets is enabled by default.
FIPS-CC operation of FortiGate units Initial configuration of the FortiGate unit
01-433-129720-20111216 13
VPN
The DES and MD5 algorithms are not available.
Diffie-Hellman groups 14 through 18 are available to VPN configurations and group 15
is the default. DH groups 15 through 18 use 3072 to 8192-bit keys. You should use
these groups for FIPS-CC complaint VPNs between FortiGate units. Current versions
of the FortiClient Host Security application support only DH groups 1, 2 and 5.
ANSI X9.31 RSA signature is an optional authentication method for IPSec VPNs. This
method is supported by default on FortiGate units in FIPS-CC mode.
By default, 2048-bit RSA certificates are configured, but 1024-bit certificates can be
configured.
Initial configuration of the FortiGate unit
This section describes how to configure your FortiGate unit in the FIPS-CC mode of
operation. Proceed as follows:
Install the unit following the procedures in the documentation.
Register your FortiGate unit with Fortinet.
If you are upgrading an existing FortiGate unit to FIPS-CC firmware, download the
appropriate firmware from Fortinet and install it on your unit.
Verify the firmware version of your FortiGate unit.
Enable FIPS-CC mode.
Installing the unit
Both the Quick Start Guide and the Getting Started section of the Installation Guide for
your FortiGate unit provide instructions on the physical installation and initial
configuration of your unit. When you have completed these procedures you will be able
to access both the web-based manager and Command Line Interface (CLI).
Configuration of units with AMC/FMC modules
To use AMC/FMC modules, you must insert and configure them before enabling FIPS-CC
mode. Modules inserted during FIPS-CC mode operation cause intermittent failures of
integrity self-tests.
For more information about using AMC/FMC modules, refer to the documentation
provided with your FortiGate unit.
Downloading and installing FIPS-CC compliant firmware
Unless you purchased a FortiGate unit with FIPS-CC firmware pre-installed, you need to
download and install the appropriate firmware for your FortiGate unit. The Support web
site provides FIPS-certified and CC-certified versions of FortiOS firmware for specific
FortiGate models. Refer to the relevant CC Security Target or FIPS Security Policy
document to determine which specific build you need.
To download the firmware
1 With your web browser, go to https://support.fortinet.com/ and log in using the name
and password you received when you registered with Fortinet Support.
Initial configuration of the FortiGate unit FIPS-CC operation of FortiGate units
14 01-433-129720-20111216
2 Navigate to the download page for the appropriate version of FortiGate firmware and
select the FIPS-CC-Certified folder. Download the FIPS-CC compliant firmware build
you need. Save the file on the management computer or on your network where it is
accessible from the FortiGate unit.
Installing the FIPS-CC firmware
You can install the FIPS-CC compliant firmware as an upgrade from the standard
firmware.
To install the FIPS-CC firmware
1 Using the management computer, connect to the units web-based manager. See the
the Quick Start Guide or the Installation Guide for information.
2 Type admin in the name field. If you have assigned a password, type it in the
Password field. Select Login.
3 Go to Dashboard > Status.
4 Under System Information > Firmware version, select Update.
5 Type the path and filename of the firmware image file, or select Browse and locate the
file.
6 Select OK.
The unit uploads the firmware image file, upgrades to the new firmware version,
restarts, and displays the Login page. This process takes a few minutes.
Verifying the firmware version of the unit
Execute the following command from the command line:
get system status
The version line of the status display shows the FortiGate model number, firmware
version, build number and date. For example:
Version: Fortigate-500A 4.00,build6204,100928
Verify in the relevant security target or security policy document that your firmware
version, build number and date are appropriate.
A note about non FIPS-CC functionality
Even when operated in non-FIPS-CC mode, the FIPS-CC firmware functionality differs in
some ways from the standard FortiGate firmware on which it is based.
Access Profiles
Log & Report access is split into Log & Report Configuration and Log & Report Data. In
the web-based manager, the Log & Report access control item expands to show these
two access controls. In the CLI, you can independently control administrator access to
logging configuration and data as follows:
config system accprofile
edit <profile_name>
set loggrp custom
config loggrp-permission
set config {none | read | read-write}
set data-access {none | read | read-write}
end
end
FIPS-CC operation of FortiGate units Initial configuration of the FortiGate unit
01-433-129720-20111216 15
Memory log size
Maximum memory log size is configurable from the CLI:
config log memory global-setting
set max-lines <value>
end
Log full limit thresholds are configurable from CLI
config log memory global-setting
set full-first-warning-threshold [1-100 default=75]
set full-second-warning-threshold [1-100 default=90]
set full-final-warning-threshold [1-100 default=95]
end
These threshold values are a percentage of the max-lines limit. When the first threshold is
reached, an informational event is logged. When the second and final thresholds are
reached, warning events are logged. The log message in each case is in the form,
Memory [log-type] log is [percentage]% full. After the final threshold is reached, new log
messages overwrite the oldest log message.
Enabling FIPS-CC mode
If you have verified the firmware version, you are ready to enable FIPS-CC mode. As part
of enabling FIPS-CC mode, you must define the administrator password. You must use a
console connection to enable FIPS-CC mode. If you try to use another type of
connection, a check permission failed error occurs.
To enable FIPS-CC mode
1 Log in to the CLI using default admin account or another account with super_admin
access profile. Enter the following commands:
config system fips-cc
set status enable
end
2 In response to the following prompt, enter the password for the administrator:
Please enter administrator password:
3 When prompted, re-enter the administrator password.
The CLI displays the following message:
Warning: most configuration will be lost,
do you want to continue? (y/n)
4 Enter y.
The FortiGate unit restarts and runs in FIPS-CC compliant mode.
When you enable FIPS-CC mode, all of the existing configuration is lost.
If the FortiGate unit is currently in multi-VDOM mode, you need to precede the above
commands with the command config global.
Initial configuration of the FortiGate unit FIPS-CC operation of FortiGate units
16 01-433-129720-20111216
Configuring interfaces
When FIPS-CC mode is initially enabled, all network interfaces are down and have no IP
addresses assigned. This example shows how to configure port1 with an IP address of
192.168.0.99 and administrative access to permit use of the web-based manager.
config system interface
edit port1
set ip 192.168.0.99 255.255.255.0
set allowaccess https
set status up
end
For detailed information about configuring network interfaces, refer to the FortiGate
documentation supplied with your unit.
Re-enabling NPU support
Support for NPU accelerated interfaces is disabled by default in FIPS-CC mode. The
following CLI command will re enable NPU support:
config system npu
set offload-ipsec-host enable
end
FIPS-CC mode status indicators
There are two status indicators that show when the FortiGate unit is running in the FIPS-
CC mode of operation:
Self-test settings
The default self-test period is every 1440 minutes. The following CLI command can
change this to any period from 1 to 1440 minutes, inclusive.
config system fips-cc
set self-test-period <minutes_int>
end
Self-tests on key generation (SSL, SSH, and IPsec) are disabled by default. The following
command will re-enable the tests:
config vpn fips-cc
set key-generation-self-test enable
end
Running self-tests manually
The administrator can run self-tests manually at any time. To run all of the tests, enter the
following CLI command:
execute fips kat all
To run an individual test, enter execute fips kat <test_name>. To see the list of
valid test names, enter execute fips kat ?
Table 1: FIPS-CC mode status indicators
Location Indication
Front panel (some models)
(press a button to deactivate screen saver)
FIPS-CC-NAT (NAT/Route mode)
FIPS-CC-TP (Transparent mode)
Output of get system status command FIPS-CC mode: enable
FIPS-CC operation of FortiGate units Administration
01-433-129720-20111216 17
Administration
When you invoke FIPS-CC mode for the first time, the FortiGate unit prompts you for a
password to assign to the administrator account. After the initial configuration of
administrators when you enable FIPS-CC mode, you can create additional administrator
accounts as needed.
User guidance
It is the administrators responsibility to ensure users know how to use the user
authentication functions of the FortiGate unit, as described in the Authentication chapter
of the FortiOS Handbook.
Remote access requirements
In FIPS-CC mode, remote administration is not allowed via HTTP or Telnet, which are not
secure. SSH and HTTPS access are permitted but must meet certain security
requirements.
Setting minimum DH primes size
By default, in FIPS-CC mode the FortiGate unit requires values at least 3072 bits long to
be used in the Diffie-Hellman key exchange when an SSL or HTTPS session begins.
Using the CLI, you can set this minimum to any of the safe standard values specified in
RFC 3526: 1024, 1536, 2048, 3072, 4096, 6144 or 8192 bits. For example, to use
commercially available browsers, you might need to set the key size to 1024, like this:
config system global
set dh-params 1024
end
Enabling administrative access
In FIPS-CC mode, the network interfaces by default do not allow administrative access,
preventing you from using the web-based manager. You can re-enable use of the web-
based manager using CLI commands on the console. This example enables HTTPS
administrative access on the port1 interface to allow use of the web-based manager and
SSH clients:
config system interface
edit port1
set allowaccess https ssh
end
For detailed information about accessing the web-based manager, see Connecting to
the web-based manager in the Installation Guide for your unit.
SSH client requirements
To access the CLI through network interfaces in FIPS-CC mode, your SSH client must
support the following:
Authentication:
RSA X9.31 or HMAC SHA-1
Encryption:
AES128, AES192, AES256 or 3DES
Administration FIPS-CC operation of FortiGate units
18 01-433-129720-20111216
Web browser requirements
To use the web-based manager in FIPS-CC mode, your web browser application must
meet the following requirements:
Authentication algorithm: RSA X9.31, PKCS1 RSA or DSS (in descending order of
preference)
Connection security: TLS 1.0
Disclaimer access banner
By default, in FIPS-CC mode, each time you log on as an administrator, you see a
warning statement that usage is monitored and that unauthorized usage can result in
disciplinary or legal action. You must accept the statement to continue. If you decline the
statement, you are immediately logged out. Logs record response to the disclaimer at
each logon.
You can disable the disclaimer in the CLI as follows:
set access-banner disable
end
Similarly, you can enable the disclaimer, like this:
set access-banner enable
end
Modifying the disclaimer text
You can modify the disclaimer to meet the requirements of your organization. The
disclaimer is an editable replacement message. Using the CLI, enter the disclaimer text in
the buffer field. To put a carriage return in the message, use Shift-Enter. For example,
config system replacemsg admin admin-disclaimer-text
set buffer "Warning! Warning! Warning!
This system is monitored at all times.
Unauthorized use may be prosecuted.
"
end
To restore the default message, enter
config system replacemsg admin admin-disclaimer-text
unset buffer
end
Administrator account lockout settings
By default, after three failed attempts to log on to an administrator account, the account
is locked out for one hour. The lockout applies only to the IP address from which the
failed attempts were made. The login name is logged. You can change the number of
logon attempts permitted and the length of the lockout using the following CLI
commands:
set admin-lockout-threshold <tries>
set admin-lockout-duration <seconds>
end
where <tries> is permitted number of attempts, range 1 to 10 (default 3) and
<seconds> is the lockout duration in seconds, range 1 to 4,294,967,295 (default 60).
FIPS-CC operation of FortiGate units Administration
01-433-129720-20111216 19
The Security Administrator can clear a lockout with the following CLI command:
execute clear system login-lockout <index>
Use a ? as the index to see the list of locked-out accounts.
Scheduled administrator access
For additional security, you can limit administrator access to certain times, business days
for example. To do this, you need to create a firewall schedule and then assign the
schedule to the administrator.
You can create a firewall schedule in the web-based manager or the CLI. For more
information, refer to the documentation provided with your FortiGate unit.
To assign a schedule to an administrator, enter the following CLI commands:
config system admin
edit <admin-name>
set schedule <schedule-name>
end
where <admin-name> is the name of the administrator account and <schedule-name>
is the name of the firewall schedule.
Using custom administrator access keys (certificates)
You, as cryptographic administrator, can upload VPN certificates to use as custom RSA
keys to authenticate administrators. To do this, you must upload the signed public
certificate to the FortiGate unit. If the private key was not generated on the FortiGate unit,
it also must be uploaded. Certificates must have a modulus of at least 2048 bits.
Importing the custom RSA key
In FIPS-CC mode, you cannot import certificates using TFTP. You must use a USB
storage device instead. Put the files you want to upload on the device and connect the
device to the FortiGate unit. Use one of the following commands to import the files:
If you have a PKCS12 format key-certificate file,
execute vpn certificate local import usb pkcs12 <file_name>
<password>
If you have separate certificate and key files,
execute vpn certificate local import usb cert <cert_file_name>
<keyfile_name> <password_for_keyfile>
Enabling the custom RSA key
To enable the custom RSA key you imported, use the following CLI command:
set admin-server-cert <certificate-name>
end
This applies to both HTTPS and SSH connections.
Configuration backup
Configuration backup files created in FIPS-CC mode are not compatible with backup files
created in non-FIPS-CC mode. A FIPS-CC mode configuration backup cannot be
restored in non-FIPS-CC mode and vice-versa.
Firewall FIPS-CC operation of FortiGate units
20 01-433-129720-20111216
You can create FIPS-CC configuration backup files to use for disaster recovery. They are
valid on a replacement FortiGate unit or to restore configuration after you exit and then
re-enter FIPS-CC mode.
For detailed information about creating configuration backup files, refer to the
documentation provided with your FortiGate unit.
Firewall
FIPS-CC mode has additional requirements for security policies and firewall
authentication, compared to the standard firmware.
Security policies
When you create a security policy in FIPS-CC mode, by default the policy is not enabled.
You must explicitly enable it. In the web-based manager, after creating the policy, select
the checkbox at the beginning of the policy entry on the Policy > Policy page. In the CLI,
enable a policy by setting its status to enable. You can do this when you create the policy
or later:
config firewall policy
edit 2
set status enable
end
Policies are identified by policy ID. In the preceding example, the ID was 2.
Firewall authentication
In FIPS-CC mode, user passwords must be 8 characters or more. FTP and Telnet
mechanisms for Proxy User Authentication are not allowed, and SSL redirection must be
enabled for the HTTP mechanism.
User account lockout settings
Optionally, you can lock out a users account for a period of time after a number of
unsuccessful attempts to authenticate. You can configure this in the CLI using the
following commands:
set auth-lockout-threshold <tries>
set auth-lockout-duration <seconds>
end
where <tries> is permitted number of attempts, range 1 to 10 (default 3) and
<seconds> is the lockout duration in seconds, range 1 to 4,294,967,295, or 0 to disable
lockout. The default is 0.
This lockout applies to end users only. Administrator lockout is configured separately.
See Administrator account lockout settings on page 18.
Configuration backup or restoration using TFTP is not permitted in FIPS-CC mode.
FIPS-CC operation of FortiGate units Logging
01-433-129720-20111216 21
Logging
The Common Criteria protection profile requires logging of all traffic and logging of
system events, including startup and shutdown of functional components. The severity
threshold for logging is set to the lowest level: debug. This ensures that the maximum
amount of information is logged.
Logs are written to the FortiGate unit hard disk on all models except model 5001, which
contains a flash memory drive and models 50A and 100A that log to system memory.
The FortiGate unit generates warning log entries when the space allocated for logging is
filled to 75%, then 90% and finally 95% of capacity. For information about setting the log
size, see Memory log size on page 15. When logs exceed 95% of capacity, the default
action is to block further traffic and switch to Error mode. See CC Error mode on
page 29 for more information.
Logging to external devices
Logging to external devices is disabled due to the security requirements of FIPS-CC
operation, except for logging to a FortiAnalyzer unit through a secure tunnel. By default,
the secure tunnel uses the SHA-256 HMAC algorithm. You can also select SHA-1 using
the following CLI command:
config log fortianalyzer setting
set hmac-algorithm sha1
end
Downloading of logs to the management computer is also permitted. See Backing up
log messages on page 25.
Required logging settings
Table 3 and Table 4 list the logging settings required for FIPS-CC mode. The config
log memory setting command settings apply to models 50A and 100A. The config
log disk setting command settings apply to all other models. If you change these
options from the default, the operation of your FortiGate unit is no longer compliant with
the FIPS-CC Security Target.
Traffic logging to system memory is available only in FIPS-CC mode.
Table 2: config log disk filter command keywords and variables
Keywords and variables Description Default
admin
{disable | enable}
Enable or disable logging all administrative
events, such as user logins, resets, and
configuration updates in the event log. This is
available only if event is set to enable.
enable
allowed
{disable | enable}
Enable or disable logging all traffic that is
allowed according to the firewall policy
settings in the traffic log. This is available only
if traffic is set to enable.
enable
Logging FIPS-CC operation of FortiGate units
22 01-433-129720-20111216
auth
{disable | enable}
Enable or disable logging all firewall-related
events, such as user authentication in the
event log. This is available only if event is set
to enable.
enable
event
{disable | enable}
Enable or disable the event log. enable
severity
{alert | critical |
debug | emergency |
error | information
| notification |
warning}
Select the logging severity level. The FortiGate
unit logs all messages at and above the
logging severity level you select. For example,
if you select error, the unit logs error,
critical, alert and emergency level
messages.
emergency - The system is unusable.
alert - Immediate action is required.
critical - Functionality is affected.
error - An erroneous condition exists and
functionality is probably affected.
warning - Functionality might be affected.
notification - Information about normal
events.
information - General information about
system operations.
debug - Information used for diagnosing or
debugging the FotiGate unit.
debug
system
{disable | enable}
Enable or disable logging of all system-related
events, such as ping server failure and
gateway status, in the event log. This is
available only if event is set to enable.
enable
traffic
{disable | enable}
Enable or disable the traffic log. enable
violation
{disable | enable}
Enable or disable logging of all traffic that
violates the firewall policy settings in the traffic
log. This is available only if traffic is set to
enable.
enable
Table 3: config log disk setting command keywords and variables
Keywords and
variables
Description Default
diskfull
{blocktraffic
| nolog
| overwrite}
Enter the action to take when the log disk is
full.
blocktraffic
Table 2: config log disk filter command keywords and variables (Continued)
01-433-129720-20111216 23
Excluding specific logs (selective audit)
Use the exclude-list option of the log filtering command to define log entries that will not
be recorded:
config log disk filter
config exclude-list
edit <number>
set category <category>
config fields
edit <field_name>
set args <argvalue>
set negate {enable | disable}
end
end
end
end
end
Viewing log messages from the web-based manager
To view log messages from the web-based manager, go to Log & Report > Log Access.
For detailed instructions about viewing the logs, consult the online Help system or see
the Logging & Reporting chapter of the FortiOS Handbook.
Table 4: config log memory setting command keywords and variables
diskfull
{blocktraffic
| nolog | overwrite}
Enter the action to take when the log
memory is full.
blocktraffic
status
{disable | enable}
Enter enable to enable logging to the
FortiGate system memory.
enable
Table 5: log filter exclude-list command keywords and variables
category <category> category is one of:
attack, content, event, im, spam,
traffic, virus, webfilter
No default.
edit <field_name> Enter the name of the field on which to
base exclusion. Available field_name
values depend on the category setting. If
you enter an invalid field name, valid field
names are listed.
No default.
args <argvalue> Enter the field value to match. No default.
negate
{enable | disable}
Enable to exclude logs where the value
of the <field_name> field does not
match <argvalue>.
Disable to exclude logs where the value
of the <field_name> field matches
<argvalue>.
disable
Logging FIPS-CC operation of FortiGate units
24 01-433-129720-20111216
Viewing log messages from the CLI
You can view and clear log messages from the CLI. Before viewing logs, you must set
filter options to select the logs that you want to view. You can view one log category on
one device at a time. Optionally, you can filter the listing to show only specified date
ranges or severities of log messages. For traffic logs, you can filter log messages by
source or destination IP address.
Setting filtering for log messages
Use execute log filter commands to select which logs to display with the
execute log display command. Commands are cumulative. Enter execute log
filter list to see the current settings. For more information about log filtering, see
the FortiGate CLI Reference.
The command syntax is:
execute log filter <keyword> <variable>
Use as many execute log filter commands as you need to define the log
messages that you want to view. For example, to select the memory event logs from 10-
14 July 2006, you use the following commands:
execute log filter category event
execute log filter device memory
execute log filter field date 2006-07-10 2006-07-14
Sorting log messages
In addition to selecting logs to display, the execute log filter command can sort
logs by field.
execute log filter sortby <field_name>
Table 6: execute log filter command keywords and variables
category
{event | ids | spam
| traffic | virus
| webfilter | list }
Type of log, except list, which
displays the current setting.
event
device
{disk | memory
| list}
Device where the logs are stored,
except list, which displays the
current setting.
disk
field <field_name> Filter on log field. Use ? as
field_name to see a list of valid
fields.
No default.
lines-per-view
<number>
Set lines per view. Range: 5 to 1000 10
list Display current filter settings. No default.
reset
Reset filter settings. No default.
rolled-number
<number>
Select logs from rolled log files. 0
selects current log file.
0
sortby Set display order. See Sorting log
messages on page 24.
No default.
start_line <integer> Select first line of logs to display. 1
01-433-129720-20111216 25
Enter the command without a field name to see a list of valid field names.
Viewing log messages
After you have selected the log messages that you want to view using the execute log
filter command, you can display them with the following command:
execute log display
The console displays the first 10 log messages. To view more messages, run the
command again. You can do this until you have seen all of the selected log messages. To
restart viewing the list from the beginning, use the commands
execute log filter start_line 1
execute log display
Resetting log filters
You can restore the log filters to their default values using the command
execute log reset
Backing up log messages
You can back up log messages to your Administrative computer or other computer on the
network.
Backing up log messages using the web-based manager
The FortiGate unit downloads log files to the Administrative computer using HTTPS.
1 Go to Log & Report > Log Access.
2 Select either the Disk or Memory tab as appropriate.
3 From the Log Type list, select the type of log you want to back up.
4 Select the download icon for the log file you want to back up.
5 Select either Download file in the normal format or Download file in CSV format, as
appropriate.
6 Follow your browsers procedure for saving the downloaded file.
Viewing log file information
You can view the list of current and rolled log files on the console. The list shows the file
name, size and timestamp. The CLI command is as follows:
execute log list <category>
<category> must be one of: event, ids, spam, traffic, virus or webfilter.
The output looks like this:
elog 8704 Fri Jan 28 14:24:35 2005
elog.1 1536 Thu Jan 27 18:02:51 2005
elog.2 35840 Wed Jan 26 22:22:47 2005
At the end of the list the total number of files in the category is displayed. For example:
501 event log file(s) found.
Deleting filtered log messages
You can select log messages with the execute log filter command and then
delete them with the execute log delete-filtered command. On units that
provide only memory logging, be sure to specify memory as the log device.
For example, to delete all the traffic logs from memory, enter the following commands:
Alarms FIPS-CC operation of FortiGate units
26 01-433-129720-20111216
execute log filter category traffic
execute log filter device memory
execute log delete-filtered
For information about the execute log filter command, see Setting filtering for
log messages on page 24.
Deleting rolled log files
You can delete rolled log files using the execute log delete-rolled command:
execute log delete-rolled <category> <start> [<end>]
<category> must be one of: event, ids, spam, traffic, virus or webfilter. The
<start> and <end> values represent the range of log files to delete. If <end> is not
specified, only the log number specified by <start> is deleted.
For example, to delete all of the rolled traffic log files, enter the following command:
execute log delete-rolled traffic 1 9999
Alarms
In FIPS-CC mode, the FortiGate unit can raise alarms for the following types of events:
failed administrator authentication
packet replay attempts (IPS)
bootup self-test failure
cryptographic failure
security policy violation (blocked sessions)
Alarms for all of these events are based on logs that report these events. For firewall
events, traffic violation logs are used.
Configuring alarms
An alarm consists of one or more trigger events that occur a specified number of times in
a particular time period. For example, you could configure the FortiGate unit to raise an
alarm if there are three unsuccessful administrative login attempts in the same minute.
You can configure alarms only in the CLI. Each alarm is defined as an alarm group.
There are separate alarm groups for each virtual domain (VDOM). You can select whether
the alarms in each VDOM are audible. Within each alarm group, you specify:
the threshold for each triggering event, 0 for events that will not trigger the alarm
the period over which the number of triggering events is counted, 0 to count from
startup
If you include more than one trigger event, the threshold for all the trigger events must be
met to trigger the alarm. Security policy violations are configured together.
Alarm notification messages appear on the web-based manager, in SSH administrator
sessions and on the console. The messages repeat until the administrator acknowledges
the alarm.
Alarm CLI configuration
The system alarm command syntax is as follows:
config system alarm
set status {enable | disable}
set audible {enable | disable}
FIPS-CC operation of FortiGate units Alarms
01-433-129720-20111216 27
config groups
edit <group_id>
set admin-auth-failure-threshold <integer>
set decryption-failure-threshold <integer>
set encryption-failure-threshold <integer>
set log-full-warning-threshold <integer>
set period <integer>
set replay-attempt-threshold <integer>
set self-test-failure-threshold <integer>
set user-auth-failure-threshold <integer>
config fw-policy-violations
edit <violation_id>
dst-port <dport_number>
dst-ip <dst_ip>
src-port <sport_number>
src-ip <src_ip>
threshold <integer>
end
end
end
The keywords and variables are:
Table 7: system alarm keywords and variables
audible
{enable | disable}
If enabled, the console beeps when the
alarm notification appears.
disable
status
{enable | disable}
Enable or disable all alarms.
disable
Alarm group keywords and variables
edit <group_id>
<group_id> is the group identifier. Use 0
to automatically assign the next available
number.
No
default.
admin-auth-failure-
threshold <integer>
Enter threshold for administrator
authentication failures. Use 0 to disregard in
this alarm group.
0
decryption-failure-
threshold <integer>
Enter threshold for cryptographic failure in
decryption. Use 0 to disregard in this alarm
group.
0
encryption-failure-
threshold <integer>
Enter threshold for cryptographic failure in
encryption. Use 0 to disregard in this alarm
group.
0
log-full-warning-
threshold <integer>
Enter the threshold for log full warnings.
Use 0 to disregard in this alarm group.
0
period <integer> Enter the period over which triggering
events are counted. Use 0 for no limit
(events are counted from startup).
0
replay-attempt-
threshold <integer>
Enter threshold for packet replay attempts.
Use 0 to disregard in this alarm group.
0
Alarms FIPS-CC operation of FortiGate units
28 01-433-129720-20111216
Alarm notifications
Alarm notifications appear on both the CLI console and the web-based manager. On the
CLI console alarm notifications look like this:
******************* !!! A L A R M !!! *******************
* ID: 1 Time: Tue Sep 5 09:39:55 2006
* Group ID: 1 VD: root
* Type: Authentication failures
* Message: Alarm is triggered
*********************************************************
On the web-based manager, alarm notifications appear in a separate browser window
and look like this:
Figure 1: Alarm notification - web-based manager
self-test-failure-
threshold <integer>
Enter threshold for failure of startup integrity
tests. Use 0 to disregard in this alarm
group.
A self-test failure alarm is visible only after
you recover from Error mode.
0
user-auth-failure-
threshold <integer>
Enter threshold for user authentication
failures. Use 0 to disregard in this alarm
group.
0
fw-policy-violations keywords and variables
edit <violation_id> <violation_id> is the identifier for this
trigger. Use 0 to automatically assign the
next available number.
No
default.
dst-port
<dport_number>
Enter the destination port number to match
in the traffic violation log.
0
dst-ip <dst_ip> Enter the destination IP or subnet address
to match in the traffic violation log.
0
src-port
<sport_number>
Enter the source port number to match in
the traffic violation log.
0
src-ip <src_ip> Enter the source IP or subnet address to
match in the traffic violation log.
0
Table 7: system alarm keywords and variables
FIPS-CC operation of FortiGate units Error modes
01-433-129720-20111216 29
The notification clearly shows the time, virtual domain, alarm group and type. Alarm
notifications repeat until you acknowledge them. On the CLI console, the notification
repeats every time you use the Enter key. In the web-based manager, you can close the
alarm notification window, but the alarm will reappear in a few seconds.
Acknowledging alarms
To acknowledge an alarm in the web-based manager, you simply select OK in the alarm
notification window. On the CLI console, you acknowledge alarms using one of the
following commands:
To acknowledge a single alarm
execute ack-alarm <alarm-ID>
To acknowledge all alarms
execute ack-alarm all
Alarm polling
A terminal connected to the console connector can display alarm messages periodically
if no one is logged in to the console. You can set how often alarm messages are reported
on the console.
set alarm-poll-interval <second>
end
You can set the polling interval to a value from 1 to 60 seconds. The default is 5 seconds.
Error modes
There are two error modes in FIPS-CC mode: FIPS Error and CC Error.
FIPS Error mode
When one or more of the self-tests fail, the FortiGate unit switches to FIPS Error mode.
The FortiGate unit shuts down all interfaces including the console and blocks traffic.
To resume normal FIPS-CC mode operation, switch the unit off and then on again. If the
self-tests pass after the reboot, the unit will resume normal FIPS-CC compliant operation.
If a self-test continues to fail after rebooting, there is likely a serious firmware or hardware
problem and the unit should be removed from the network until the problem is solved.
If the self-test failure persists across reboots, you can attempt to reload the firmware after
resetting the unit to the factory default configuration. If the self-test failure persists after
reloading the firmware and re-enabling the FIPS-CC mode of operation, contact Fortinet
technical support.
CC Error mode
When current logs and rolled log files consume more than 95% of log capacity, the
FortiGate unit switches to CC Error mode, shuts down network interfaces and blocks
traffic.
The FortiGate unit indicates Error mode as follows:
The console displays FIPS-CC-ERR. You might have to press a panel key to see this
display.
Disabling FIPS-CC mode FIPS-CC operation of FortiGate units
30 01-433-129720-20111216
CC-ERR is prepended to the CLI prompt, CC-ERR FortiGate-500A$, for
example.
To resume normal FIPS-CC mode operation, you first must reduce logs to less than 95%
of device capacity and exit error mode.
To reduce logs
From the console, do any of the following:
Delete selected logs. See Deleting filtered log messages on page 25. Ideally, you
should reduce logs to 50% or less of device capacity.
Delete rolled log files using the command
execute log delete-rolled.
Delete all current log entries using the command
execute log delete-all.
To exit error mode
From the console, enter the following CLI command:
execute error-mode exit
The FortiGate unit resumes normal FIPS-CC compliant operation unless there is still too
little free space on the log device.
Disabling FIPS-CC mode
The only way that you can return the FortiGate unit to the normal mode of operation is to
restore the factory default configuration. Enter the following CLI command:
execute factoryreset
Disabling FIPS-CC mode erases the current configuration, including VPN certificates and
encryption keys for SSH and HTTPS.
01-433-129720-20111216 31
Configuring FortiGate units for PCI
DSS compliance
This chapter provides information about configuring your network and FortiGate unit to
help you comply with PCI DSS requirements. There is also some description of other
Fortinet products that can help you with PCI DSS compliance.The following topics are
included in this section:
Introduction to PCI DSS
Network topology
Security policies for the CDE network
Wireless network security
Protecting stored cardholder data
Protecting communicated cardholder data
Protecting the CDE network from viruses
Monitoring the network for vulnerabilities
Restricting access to cardholder data
Controlling access to the CDE network
Introduction to PCI DSS
The primary source of information for your PCI DSS compliance program is the Payment
Card Industry (PCI) Data Security Standard itself. Version 1.2.1 of the standard was
published in July 2009. The following is only a brief summary of PCI DSS.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) sets data handling
requirements for organizations that hold, process, or exchange cardholder information.
What is the Customer Data Environment
Throughout the PCI DSS requirements, there are references to the Customer Data
Environment (CDE). The CDE is the computer environment wherein cardholder data is
transferred, processed, or stored, and any networks or devices directly connected to that
environment.
PCI DSS objectives and requirements
PCI DSS consists of 7 control objectives and 12 requirements.
Introduction to PCI DSS Configuring FortiGate units for PCI DSS compliance
32 01-433-129720-20111216
Table 8: PCI DSS Control Objectives and Requirements
Control Objective Requirement Fortinet Solution
Build and Maintain a
Secure Network
1) Install and maintain a firewall
configuration to protect
cardholder data
FortiGate firewall
functionality. See Security
policies for the CDE
network on page 36.
2) Do not use vendor-supplied
defaults for system passwords
and other security parameters
FortiDB vulnerability
assessment and auditing
FortiScan OS vulnerability
management
FortiWeb web application
password checking
See Password complexity
and change requirements
on page 42.
Protect Cardholder
Data
3) Protect stored cardholder data FortiDB vulnerability
assessment and monitoring
firewall
See Protecting stored
cardholder data on
page 39.
4) Encrypt transmission of
cardholder data across open,
public networks
FortiGate IPsec VPN. See
Protecting communicated
cardholder data on
page 39.
Configuring FortiGate units for PCI DSS compliance Introduction to PCI DSS
01-433-129720-20111216 33
Maintain a
Vulnerability
Management
Program
5) Use and regularly update anti-
virus software
FortiGate integrated AV
FortiClient integrated AV
FortiMobile integrated AV
FortiMail integrated AV
FortiGuard automated AV
updates
See Protecting the CDE
network from viruses on
page 40.
6) Develop and maintain secure
systems and applications
assessment, auditing and
monitoring
security
management
FortiAnalyzer network
vulnerability scanning
See Monitoring the network
for vulnerabilities on
page 41.
Implement Strong
Access Control
Measures
7) Restrict access to cardholder
data by business need-to-know
assessment, auditing and
monitoring.
See Restricting access to
cardholder data on
page 42.
8) Assign a unique ID to each
person with computer access
FortiGate integrated
database or hooks to Active
Directory. See Controlling
access to the CDE network
on page 42.
9) Restrict physical access to
cardholder data
Fortinet professional
services in partnership with
partner solutions
Table 8: PCI DSS Control Objectives and Requirements (Continued)
Introduction to PCI DSS Configuring FortiGate units for PCI DSS compliance
34 01-433-129720-20111216
This chapter describes how the FortiGate units features can help your organization to be
compliant with PCI DSS. Requirements that the FortiGate cannot enforce need to be met
through organization policies with some means determined for auditing compliance.
Be sure to read the section, Wireless guidelines, below. Even if your organization does
not use wireless networking, PCI DSS requires you to verify periodically that wireless
networking has not been introduced into the CDE.
Wireless guidelines
While wired networks usually connect fixed known workstations, wireless networks are
more dynamic, introducing a different set of security concerns.
Even if your organization does not use wireless networking, PCI DSS requires you to
verify periodically that unauthorized wireless networking has not been introduced into the
CDE. Wireless networking could be introduced quite casually by adding a wireless device
to a PC on the CDE network.
For all PCI DSS networks, whether they use wireless technology or not, the following
requirement applies:
Test for the presence of wireless access points by using a wireless analyzer at least
quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use. (11.1)
If your organization uses wireless networking outside the CDE network and the firewall
prevents communication with the CDE network, the wireless network is outside the PCI
DSS scope, but the firewall configuration must meet PCI DSS requirements.
If your organization uses wireless networking inside the CDE network, the wireless
network is within the PCI DSS scope. For information about wireless network
requirements, see Wireless network security on page 37.
Regularly Monitor
and Test Networks
10) Track and monitor all access
to network resources and
cardholder data
FortiDB auditing and
monitoring
FortiAnalyzer event
reporting, vulnerability
scanning.
See Monitoring the network
for vulnerabilities on
page 41.
11) Regularly test security
systems and processes
assessment
management. See
Monitoring the network for
vulnerabilities on page 41.
Maintain an
Information Security
Policy
12) Maintain a policy that
addresses information security
FortiManager security policy
management appliance
Table 8: PCI DSS Control Objectives and Requirements (Continued)
Configuring FortiGate units for PCI DSS compliance Network topology
01-433-129720-20111216 35
Network topology
The cardholder data environment must be protected against unauthorized access from
the Internet and from other networks in your organization. FortiGate unit firewall
functionality provides tight control over the traffic that can pass between the following
network interfaces:
Internet
CDE wired LAN
CDE wireless LAN
Other internal networks
Figure 2 shows how the Customer Data Environment can be delineated in a typical
network.
Figure 2: Enterprise network with a customer data environment
Internet
The FortiGate unit has at least one network interface connected to the Internet. If your
organization uses more than one Internet service provider, there could be additional
network interfaces that function as a route to the Internet.
Servers
Database
Point-of-sale terminals
Customer Data Environment Ofce private network
WAP
WAP
Of-site
VPN link(s) to
remote POS,
logging, etc.
Security policies for the CDE network Configuring FortiGate units for PCI DSS compliance
36 01-433-129720-20111216
The CDE wired LAN
The CDE network typically contains point-of-sale (POS) terminals, databases, and
servers. The only security policies between the CDE network and the Internet should be
for encrypted connections. For remote point-of-sale terminals or off-site databases, VPN
connections are required and they should use strong encryption. For a web server that
handles online purchases, only HTTPS (SSL or TLS) connections can be permitted. The
security policies that enable these connections should have the narrowest possible
definitions for source address, destination address and service.
PCI DSS does not require the CDE network to be isolated from the rest of your corporate
LAN. But isolating the CDE network reduces the scope of required data protection
measures and may reduce the scope of PCI DSS assessments that are periodically
required.
The CDE wireless LAN
Wireless networking is a special issue. Even if you do not use wireless technology you
must monitor to ensure that unauthorized wireless access has not been added to the
CDE network. For this purpose, Figure 2 shows a FortiAP device in the CDE. The FortiAP
device can provide dedicated wireless monitoring, an access point, or both.
A small retail outlet could reduce costs by using a FortiWiFi unit, a FortiGate unit with
integrated wireless networking. The FortiWiFi unit would have to be located where it
could provide sufficient wireless monitoring (or access point) coverage for the entire
premises.
Other internal networks
Other internal networks such as your office LAN, unless they provide connection to the
CDE, are not subject to PCI DSS requirements.
Security policies for the CDE network
The FortiGate units firewall functionality is ideally suited to PCI DSS requirement 1.2.1,
Restrict inbound and outbound traffic to that which is necessary for the cardholder data
environment. Security policies control the source, destination, and type of traffic passing
between networks.
The PCI DSS standard includes requirements to document your network topology and
configuration. As part of that requirement, and to assist the auditing of your network,
make use of the Comment field available in FortiGate security policies. Describe the
purpose of each policy.
Controlling the source and destination of traffic
The source and destination are the first parameters you specify in a security policy. (Go to
Policy > Policy > Policy and select Create New.)
Configuring FortiGate units for PCI DSS compliance Wireless network security
01-433-129720-20111216 37
The Interface/Zone settings depend on network topology. The Address settings define
the IP addresses to which the policy applies. These should be as narrow as possible, so
that only the appropriate hosts are included. For example, if the destination is a server
with a single IP address, the named Destination Address should be defined as that single
address, not the entire subnet on which the server resides.
Addresses are defined in Firewall Objects > Address > Address. You can also define a
new address by selecting [Create New...] from either the Source Address or Destination
Address drop-down lists in a security policy. Some addresses will be used in several
security policies, so it is best to plan ahead and define the addresses first.
Controlling the types of traffic in the CDE
The Service setting in each security policy determines which types of traffic can pass
based on protocol.
You can select a single protocol from the Service drop-down list or select Multiple and
create a list of services to permit in this policy. If several security policies will need the
same list of services, consider creating a named service group. (Go to Firewall Objects >
Service > Group.) In the security policy, service groups are available at the bottom of the
Service drop-down list.
The default deny policy
All traffic not specifically allowed by a security policy that you create is blocked by the
Implicit policy listed at the bottom of the Policy > Policy > Policy page.
You cannot delete this policy and you can edit the policy only to enable or disable logging
of the traffic that it handles.
Wireless network security
Scanning for rogue access points is the minimum requirement for wireless security. Even
if your organization does not use wireless networking, PCI DSS requires you to verify
periodically that wireless networking has not been introduced into the CDE.
If you use wireless networking, the wireless network is only within the PCI DSS scope if it
can connect to the CDE.
Scanning for rogue access points
A FortiGate unit with a connected FortiAP unit can perform wireless scanning. Each of
the FortiAP radios can act as a dedicated monitor or can perform scanning in the
background while acting as a wireless access point.
Wireless network security Configuring FortiGate units for PCI DSS compliance
38 01-433-129720-20111216
To configure rogue AP scanning
1 Go to Wifi Controller > Configuration > AP Profile.
2 Select an existing AP Profile and edit it, or select Create New.
3 For each radio, select either Access Point or Dedicated Monitor, as required.
4 If you selected Access Point, enable Background Scan.
5 If needed, modify other settings.
6 Select OK.
Radio 1 operates in the 2.4GHz band and Radio 2 operates in the 5GHz band. Both
bands should be monitored. The FortiAP unit(s) used for scanning must be located within
the coverage area that would result if an access point were added to the CDE.
Automatic detection of rogue APs
Some FortiGate units include an on-wire detection technique that correlates the SSID
MAC addresses of the unknown access points with MAC addresses detected on your
wired networks. This helps to differentiate unrelated neighboring APs from security-
compromising unauthorized APs connected to your network.
Viewing the results of rogue AP scanning
Go to Wifi Controller > Monitor > Rogue AP to view information about detected wireless
access points.
Logging the results of rogue AP scanning
To ensure that detection of rogue access points is logged, go to Log&Report >
Log Config > Log Setting and enable logging for Wifi activity event.
In the logs, the Type is event and the Sub Type is wireless.
Securing a CDE network WAP
If your wireless network is within PCI DSS scope, it must meet the following
requirements:
Default settings such as SSID and passphrases must be changed.
Use WPA security, not WEP.
Log wireless activity.
Setting wireless security
On FortiGate units, go to Wifi Controller > WiFi Network > SSID to configure wireless
security settings for either a new or existing virtual access point.
The default SSID for the FortiAP is fortinet. You must change this.
Configuring FortiGate units for PCI DSS compliance Protecting stored cardholder data
01-433-129720-20111216 39
The Security Mode must be set to one of the WPA/WPA2 modes. Both WPA or WPA2
clients can be served. In the CLI, you can optionally select exclusively WPA or WPA2
operation.
AES is stronger Data Encryption than TKIP.
WPA/WPA2-Enterprise Authentication uses separate logon credentials for each user.
Either FortiGate user group security or an external RADIUS server performs the
authentication. Optionally, certificate-based security can also be applied. WPA/WPA2-
Personal authentication requires a single pre-shared key that is used by all clients and is
thus less secure.
For detailed information about wireless access points, see the Deploying Wireless
Networks chapter of the FortiOS Handbook.
Logging wireless network activity
To ensure that wireless network activity is logged, go to Log&Report > Log Config >
Log Setting and enable logging for WiFi activity event. In the logs, the Type is event and
the Sub Type is wireless.
Protecting stored cardholder data
The Fortinet FortiDB and FortiWeb products can provide security for your sensitive
cardholder data.
The Fortinet Database Security (FortiDB) device provides vulnerability assessment,
database activity monitoring, auditing and monitoring. For more information about this
product, see the Fortinet web site, www.fortinet.com.
The Fortinet FortiWeb Web Application Firewall deployed in front of public-facing web
applications protects Web applications, databases, and the information exchanged
between them. In particular, it addresses the PCI DSS requirements 6.5 and 6.6 regarding
web application vulnerabilities such as cross-site scripting, SQL injection, and
information leakage. For more information about this product, see the Fortinet web site,
www.fortinet.com.
Protecting communicated cardholder data
If cardholder data must be communicated over an untrusted network, such as the
Internet, use the FortiGate units IPsec VPN capability to exchange the data securely. If
you support customer on-line transactions, use HTTPS (SSL or TLS encryption) for
security. The relevant PCI DSS requirement is:
Use strong cryptography and security protocols such as SSL/TLS or IPsec to
safeguard sensitive cardholder data during transmission over open, public networks.
(4.1)
This does not prescribe particular cryptography, but it can be interpreted as a
requirement to follow industry best practices.
Configuring IPsec VPN security
The security considerations for IPsec VPNs are encryption and authentication.
Encryption
Go to VPN > IPsec > Auto Key (IKE) to configure an IPsec VPN. In both Phase 1 and
Phase 2 parts of the configuration, you select the encryption to use.
Protecting the CDE network from viruses Configuring FortiGate units for PCI DSS compliance
40 01-433-129720-20111216
These are advanced settings, overriding defaults that are not necessarily the strongest
algorithms. VPNs negotiate over standards, so you can list multiple proposed algorithms.
The VPN will use the strongest encryption that both ends support.
Choose strong encryption. The available encryption algorithms in descending order of
strength are AES256, AES192, AES128, 3DES, DES. DES encryption is the weakest with
only a 64-bit key and does not meet the 80-bit key length minimum that PCI DSS
requires. NULL means no encryption and must not be used.
The message digest (authentication) algorithms in descending order of strength are
SHA256, SHA1 and MD5. MD5 is particularly weak and should be avoided. NULL means
no message digest and must not be used.
Authentication
VPN peers authenticate each other before establishing a tunnel. FortiGate units support
two different authentication methods: pre-shared key and RSA signature (certificate).
Certificates provide the best security. PCI DSS does not prohibit pre-shared keys, but
you should limit access to the keys to the personnel who are responsible for the
FortiGate units or other equipment at either end of the VPN.
Configuring SSL VPN security
The SSL VPN configuration includes a choice of encryption algorithm. Go to VPN > SSL
> Config. The Default selection, RC4 (128 bits) is acceptable, but the High option, AES
(128/256 bits) and 3DES is more secure. The Low option, RC4 (64 bits), DES and higher
does not meet PCI DSS requirements.
Protecting the CDE network from viruses
PCI DSS requires the use of regularly updated antivirus protection. The antivirus
functionality of the FortiGate unit protects both the FortiGate unit and the networks it
manages. Workstations on these networks can be protected using FortiClient Endpoint
Security. Both FortiGate and FortiClient antivirus protection can receive updates from
Fortinets FortiGuard service. Workstations can also use third-party antivirus applications
with update services.
The FortiGate unit can enforce the use of antivirus software, denying unprotected
workstations access to the network.
Enabling FortiGate antivirus protection
To create the antivirus profile
1 Go to UTM Profiles > Antivirus > Profile.
2 Edit the default predefined profile or select Create New.
3 Ensure that all check boxes are selected.
4 Select OK.
Configuring FortiGate units for PCI DSS compliance Monitoring the network for vulnerabilities
01-433-129720-20111216 41
To select the antivirus database
1 Go to UTM Profiles > Antivirus > Virus Database.
2 Select the Extended Virus Database.
3 Select Enable Grayware Detection.
4 Select Apply.
For detailed information about the Antivirus feature, see the UTM chapter of the FortiOS
Handbook.
Configuring antivirus updates
On the system dashboard, check the License Information widget. The Support Contract
section should show Valid Contract and the contract expiry date. If your FortiGate unit is
not registered, you need to visit the Fortinet Support web page
(http://support.fortinet.com/) to register. Go to Product Registration and follow the
instructions.
In the FortiGuard Services section, check the Antivirus field. If the service is unreachable,
see the online Help for information about troubleshooting your connectivity to FortiGuard
Services.
Enforcing firewall use on endpoint PCs
PCI DSS requires you to install personal firewall software on any mobile and/or
employee-owned computers with direct connectivity to the Internet (for example, laptops
used by employees), which are used to access the organizations network. (1.4)
Consider using the Endpoint Control feature of the FortiGate unit to enforce use of this
software.
Monitoring the network for vulnerabilities
There are several tools that can assist you in monitoring your network for vulnerabilities
and provide evidence to the PCI DSS auditor of such monitoring.
Using the FortiOS Network Vulnerability Scan feature
As part of its UTM features, FortiGate units provide a Network Vulnerability Scan. You
define assets to monitor, such as servers, workstations, or point-of-sale terminals. Then,
the FortiGate unit scans those devices on a regular schedule. The scan checks TCP and
UDP ports against a list of known vulnerabilities provided by FortiGuard Services. Scan
settings determine how many of the ports are checked. Optionally, all ports are scanned.
To view scan logs, go to Log&Report > Log & Archive Access > Vulnerability Scan Log.
FortiGate units can be configured to send logs to FortiAnalyzer unit. In a larger network,
this enables you to collect log information, including vulnerability scan information, in a
central location from several FortiGate units.
For more information, seethe Endpoint chapter of this FortiOS Handbook.
Monitoring with other Fortinet products
In addition to your FortiGate unit and its FortiOS firmware, there are several other Fortinet
products that can assist your organization to comply with PCI DSS requirements.
Restricting access to cardholder data Configuring FortiGate units for PCI DSS compliance
42 01-433-129720-20111216
FortiAnalyzer network vulnerability scan
FortiAnalyzer units provide a Network Vulnerability Scan similar to the FortiGate
vulnerability scan but with more features. In particular, the FortiAnalyzer scan generates
compliance reports specifically tailored to PCI DSS requirements. For more information,
see the Vulnerability Management chapter of the FortiAnalyzer Administration Guide.
Fortinet Database Security (FortiDB)
A FortiDB appliance or FortiDB software can provide vulnerability scanning and activity
monitoring for your databases. For more information, see the FortiDB User Guide.
FortiScan Vulnerability and Compliance Management platform
The FortiScan Vulnerability and Compliance Management (VCM) platform combines a
FortiScan appliance with FortiScan agent software to monitor your network assets such
as servers, workstations, or point-of-sale terminals. This system can perform vulnerability
scans and apply software patches provided by the software vendors. The scan profiles
include a predefined one for PCI DSS. The FortiScan appliance produces compliance
reports detailing the results of the vulnerability scan.
For more information, see the FortiScan Administration Guide.
FortiWeb Web Application Security
If your organization engages in e-Commerce, you can use FortiWeb Application Security
to protect your web servers against attack. The FortiWeb application protects against
HTTP and XML-based attacks, guards against attempts to deface your web sites, and
scans web servers for vulnerabilities. For more information, see the FortiWeb Web
Application Security Administration Guide.
Restricting access to cardholder data
In addition to security policies and authentication governing access to the CDE, you can
deploy the Fortinet Database Security (FortiDB) device, which provides vulnerability
assessment, database activity monitoring, auditing and monitoring. For more information
about this product, see the Fortinet web site, www.fortinet.com.
Controlling access to the CDE network
PCI DSS requires each user to be uniquely identified and authenticated. On the FortiGate
unit, this applies to administrators and to users of SSL VPN and IPsec VPNs.
Password complexity and change requirements
By default, the FortiGate unit admin account has no password. Be sure to define a
password.
PCI DSS password requirements are
Require a minimum password length of at least seven characters. (8.5.10)
Use passwords containing both numeric and alphabetic characters. (8.5.11)
Change user passwords at least every 90 days. (8.5.9)
Configuring FortiGate units for PCI DSS compliance Controlling access to the CDE network
01-433-129720-20111216 43
To facilitate creation of compliant administrator passwords, you can set a password
policy. Go to System > Admin > Settings. In the Password Policy section, enter the
following and then select OK at the bottom of the page.
Note that the FortiGate password policy does not apply to user passwords. Both
password complexity and password expiry for users would need to addressed by making
them a policy in your organization.
Password non-reuse requirement
PCI DSS requires that passwords are not re-used to satisfy the change requirement:
Do not allow an individual to submit a new password that is the same as any of the last
four passwords he or she has used. (8.5.12)
FortiGate users dont set their own passwords. The super_admin administrators can and
so can admins with appropriate access. There is, however, no FortiGate-based
mechanism to enforce non re-use of passwords.
Administrator lockout requirement
PCI DSS requires a user account lockout for administrators to guard against
unauthorized access attempts:
Limit repeated access attempts by locking out the user ID after not more than six
attempts. (8.5.13),
Set the lockout duration to a minimum of 30 minutes or until administrator enables the
user ID. (8.5.14)
You can meet these requirements with the following CLI commands:
set admin-lockout-threshold 6
set admin-lockout-duration 1800
end
The threshold can be less than 6 and the lockout duration can be more than 1800.
Enable Select the check box.
Minimum Length 8 or more. (Field does not accept a value less than 8.)
Must Contain
At minimum, set a required number of Numerical Digits
and either Upper Case Letters or Lower Case Letters.
Also setting a required number of Non-alphabetic
Letters is acceptable.
Apply Password Policy to Select Admin Password.
Enable Password Expiration Set to 90 days or less. The default is 90 days.
Controlling access to the CDE network Configuring FortiGate units for PCI DSS compliance
44 01-433-129720-20111216
Administrator timeout requirement
PCI DSS requires:
If a session has been idle for more than 15 minutes, require the user to re-enter the
password to reactivate the terminal. (8.5.15)
By default, the idle timeout is five minutes. You can go to System > Admin > Settings and
change the Idle Timeout timeout to any value up to the permitted value of 15 minutes.
Administrator access security
To accommodate the requirement for unique identification of each user, the generic
admin account should either be assigned to only one administrator or not used at all. You
can create an administrator account for each administrator in System > Admin >
Administrators.
If an administrator always works from the same workstation, consider using the Trusted
Host feature. The administrator will be able to log in only from a trusted IP address. You
can define up to three trusted IP addresses per administrator.
Administrative access must also be enabled per network interface. Go to System >
Network > Interface to edit the interface settings. Enable administrative access only on
interfaces where you would expect the administrator to connect. Allow only secure
connection protocols, HTTPS for web-based access, SSH for CLI access.
Remote access security
For remote access, PCI DSS requires two-factor authentication: a password and some
other authentication, such as a smart token or certificate. This applies to employees,
administrators, and third parties.
SSL VPN users
For SSL VPN users, implement two-factor authentication by requiring users to have a
certificate in addition to the correct password. Go to VPN > SSL > Config, enable Require
Client Certificate, and then select Apply. For more information, see the SSL VPN chapter
of the FortiOS Handbook.
IPsec VPN users
If users access your network using an IPsec VPN, you can implement two-factor
authentication by enabling extended authentication (XAUTH). This requires the user to
enter a password in addition to the VPN authentication provided by the certificate or pre-
shared key. As PCI DSS requires each user to have a unique identifier, you should already
have user accounts and user groups defined.
To configure XAUTH on your VPN
1 Go to VPN > IPsec > Auto Key (IKE) and edit your Phase 1 configuration.
2 Select Advanced.
3 In XAUTH, select Enable as Server.
Enable as Server is available only if Remote Gateway is Dialup User.
4 Set Server Type to PAP, CHAP, or AUTO as appropriate.
5 Select the User Group to which the VPN users belong.
6 Select OK.
01-433-129720-20111216 45
Appendix
Document conventions
Fortinet technical documentation uses the conventions described below.
IPv4 IP addresses
To avoid publication of public IPv4 IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Most of the examples in this document use the following IP addressing:
IP addresses are made up of A.B.C.D:
A - can be one of 192, 172, or 10 - the private addresses covered in RFC 1918.
B - 168, or the branch / device / virtual device number.
Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other.
Device or virtual device - allows multiple FortiGate units in this address space
(VDOMs).
Devices can be from x01 to x99.
C - interface - FortiGate units can have up to 40 interfaces, potentially more than one
on the same subnet
001 - 099- physical address ports, and non -virtual interfaces
100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.
D - usage based addresses, this part is determined by what the device is doing. The
following gives 16 reserved, 140 users, and 100 servers in the subnet.
001 - 009 - reserved for networking hardware, like routers, gateways, etc.
010 - 099 - DHCP range - users
100 - 109 - FortiGate devices - typically only use 100
110 - 199 - servers in general (see later for details)
200 - 249 - static range - users
250 - 255 - reserved (255 is broadcast, 000 not used)
The D segment servers can be farther broken down into:
110 - 119 - Email servers
120 - 129 - Web servers
130 - 139 - Syslog servers
140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc)
150 - 159 - VoIP / SIP servers / managers
160 - 169 - FortiAnalyzers
170 - 179 - FortiManagers
180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.)
190 - 199 - Other non-Fortinet servers (NAS, SQL, DNS, DDNS, etc.)
Fortinet products, non-FortiGate, are found from 160 - 189.
Document conventions Appendix
46 01-433-129720-20111216
Example Network
Variations on network shown in Figure 3 are used for many of the examples in this
document. In this example, the 172.20.120.0 network is equivalent to the Internet. The
network consists of a head office and two branch offices.
Figure 3: Example network
FortiGate-620B
HA cluster
P
o
rt 1
1
7
2
.2
0
.1
2
0
.1
4
1
P
o
rt 2
1
0
.1
1
.1
0
1
.1
0
0
P
o
rt 2 a
n
d
3
Switch
1
0
Internal network
FortiMail-100C
IN
T
1
0
.1
1
.1
0
1
.1
0
1
FortiWiFi-80CM
WLAN: 10.12.101.100
SSID: example.com
Password: supermarine
DHCP range: 10.12.101.200-249
P
o
rt 2
1
0
.1
1
.1
0
1
.1
0
2
P
o
rt 1
(s
n
iffe
r m
o
d
e
)
1
7
2
.2
0
.1
2
0
.1
4
1
P
o
rt 8
(m
irro
r o
f p
o
rts
2
a
n
d
3
)
FortiGate-82C
Switch
FortiAnalyzer-100B
P
o
rt 2
1
0
.1
1
.1
0
1
.1
3
0
P
o
rt 1
1
0
.1
1
.1
0
1
.1
1
0
P
o
rt 1
Linux PC
10.21.101.10
P
o
rt 1
1
0
.2
1
.1
0
1
.1
0
1
P
o
rt 1
1
0
.2
1
.1
0
1
.1
6
0
FortiGate-3810A
FortiManager-3000B
Engineering network
10.22.101.0
P
o
rt 4
1
0
.2
2
.1
0
1
.1
0
0
Cluster
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.103
FortiSwitch-5003A
Port 1: 10.21.101.161
FortiGate-5050-SM
Port 1: 10.21.101.104
W
A
N
1
1
7
2
.2
0
.1
2
0
.1
2
2
In
te
rn
a
l
1
0
.3
1
.1
0
1
.1
0
0
Windows PC
10.31.101.10
FortiGate-51B
Linux PC
10.11.101.20
Windows PC
10.11.101.10
B
r
a
n
c
h

o
f
f
i
c
e
B
r
a
n
c
h

o
f
f
i
c
e
H
e
a
d

o
f
f
i
c
e
Appendix Document conventions
01-433-129720-20111216 47
Tips, must reads, and troubleshooting
Typographical conventions
Table 9: Example IPv4 IP addresses
Location and device Internal Dmz External
Head Office, one FortiGate 10.11.101.100 10.11.201.100 172.20.120.191
Head Office, second
FortiGate
10.12.101.100 10.12.201.100 172.20.120.192
Branch Office, one
FortiGate
10.21.101.100 10.21.201.100 172.20.120.193
Office 7, one FortiGate with
9 VDOMs
10.79.101.100 10.79.101.100 172.20.120.194
Office 3, one FortiGate, web
server
n/a 10.31.201.110 n/a
Bob in accounting on the
corporate user network
(DHCP) at Head Office, one
FortiGate
10.0.11.101.200 n/a n/a
Router outside the
FortiGate
n/a n/a 172.20.120.195
A Tip provides shortcuts, alternative approaches, or background information about the
task at hand. Ignoring a tip should have no negative consequences, but you might miss
out on a trick that makes your life easier.
A Must Read item details things that should not be missed such as reminders to back up
your configuration, configuration items that must be set, or information about safe
handling of hardware. Ignoring a must read item may cause physical injury, component
damage, data loss, irritation or frustration.
A Troubleshooting tip provides information to help you track down why your
configuration is not working.
Table 10: Typographical conventions in Fortinet technical documentation
Convention Example
Button, menu, text
box, field, or check
box label
From Minimum log level, select Notification.
CLI input
config system dns
set primary <address_ipv4>
end
CLI output
FGT-602803030703 # get system settings
comments : (null)
opmode : nat
Registering your Fortinet product Appendix
48 01-433-129720-20111216
Registering your Fortinet product
Access to Fortinet customer services, such as firmware updates, support, and
FortiGuard services, requires product registration. You can register your Fortinet product
at http://support.fortinet.com.
Training Services
Fortinet Training Services offers courses that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet training programs serve the
needs of Fortinet customers and partners world-wide.
Visit Fortinet Training Services at http://campus.training.fortinet.com, or email
training@fortinet.com.
Technical Documentation
Visit the Fortinet Technical Documentation web site, http://docs.fortinet.com, for the
most up-to-date technical documentation.
The Fortinet Knowledge Base provides troubleshooting, how-to articles, examples,
FAQs, technical notes, and more. Visit the Fortinet Knowledge Base at
http://kb.fortinet.com.
Comments on Fortinet technical documentation
Send information about any errors or omissions in this or any Fortinet technical
document to techdoc@fortinet.com.
Customer service and support
Fortinet is committed to your complete satisfaction. Through our regional Technical
Assistance Centers and partners worldwide, Fortinet provides remedial support during
the operation phase of your Fortinet product's development life cycle. Our Certified
Support Partners provide first level technical assistance to Fortinet customers, while the
regional TACs solve complex technical issues that our partners are unable to resolve.
Visit Customer Service and Support at http://support.fortinet.com.
Fortinet products End User License Agreement
See the Fortinet products End User License Agreement.
Emphasis
HTTP connections are not secure and can be intercepted by a
third party.
File content
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink
Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Keyboard entry
Type a name for the remote VPN peer or client, such as
Central_Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).
Publication For details, see the FortiOS Handbook.
Table 10: Typographical conventions in Fortinet technical documentation

Fortigate Compliance 40 mr3 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Fortigate Compliance 40 mr3 PDF

Caricato da

Copyright:

Formati disponibili

Certifications and Compliances

Potrebbero piacerti anche