Fortigate 110C firewall

Mikey

Mikey

Mikey

Soldato
Joined
28 Dec 2002
Posts
6,710
Location
South Coast
I've inheritated a Fortigate Firewall at work - certainly not my first choice of a firewall!

Anyway I've been reading up on what it can and can't do, but quick question.

Can it host a non-authoritive DNS server and can it act as a NTP server?

I think the answer is yes to the first question, but not to the next.

Basically looking at killing off lots of bad firewall rules. DCs, going to the internet for NTP, DNS and so forth. I don't like that. Would rather the firewall did it and get a linux server up and running for NTP. Minimise LAN/wintel exposure etc.

Shame they've only got one firewall too, I asked what they were using for the 2nd layer and got a blank look of why would we want to do that :(

I suppose could look at Pfdefence is it?

ESX servers multi homed too :( LAN and DMZ - nice bridge over the firewall in my view. I've told them ESXi and move DMZ VMs onto it (oh but we have to pay for that - err no not a standalone ESXi server!)
 
Last edited:
Had to deal with this scenario many a time, so my opinion on the task at hand, as ever your mileage vary....


  • Familiarise yourself with the rule base.
  • Remove any unused rules from the rule base.
  • Tighten up the rule base.
  • Don't use the firewall for as DNS or NTP server, it's a Firewall it's job is to protect the networks behind it by filtering traffic and inspecting packets.
    Either nominate a single DC to be a NTP server and DNS server for the rest of the network. Or build a Linux box to perform these tasks, and put it in it's own DMZ. Neither solution is inherently more secure than the other, personal preference rules here.
  • Find out if the Firewall is under a support contract, if it is find out just how out of date the FW software is and update if required.
    If the unit has no support contract, ask for a budget to replace with a new unit with a support contract. Checkpoint, Cisco, Juniper, Sonicwall (in my order of preference).

    And finally
  • Accept that they will not value network security.
  • Accept that they will not be happy with increased security, but they will get used to it.
 
derfderfley said:
Had to deal with this scenario many a time, so my opinion on the task at hand, as ever your mileage vary....


  • Familiarise yourself with the rule base.
  • Remove any unused rules from the rule base.
  • Tighten up the rule base.
  • Don't use the firewall for as DNS or NTP server, it's a Firewall it's job is to protect the networks behind it by filtering traffic and inspecting packets.
    Either nominate a single DC to be a NTP server and DNS server for the rest of the network. Or build a Linux box to perform these tasks, and put it in it's own DMZ. Neither solution is inherently more secure than the other, personal preference rules here.
  • Find out if the Firewall is under a support contract, if it is find out just how out of date the FW software is and update if required.
    If the unit has no support contract, ask for a budget to replace with a new unit with a support contract. Checkpoint, Cisco, Juniper, Sonicwall (in my order of preference).

    And finally
  • Accept that they will not value network security.
  • Accept that they will not be happy with increased security, but they will get used to it.
Click to expand...

I like this post. Agreed on all points.

- GP
 
derfderfley said:
Had to deal with this scenario many a time, so my opinion on the task at hand, as ever your mileage vary....


  • Familiarise yourself with the rule base.
  • Remove any unused rules from the rule base.
  • Tighten up the rule base.
  • Don't use the firewall for as DNS or NTP server, it's a Firewall it's job is to protect the networks behind it by filtering traffic and inspecting packets.
    Either nominate a single DC to be a NTP server and DNS server for the rest of the network. Or build a Linux box to perform these tasks, and put it in it's own DMZ. Neither solution is inherently more secure than the other, personal preference rules here.
  • Find out if the Firewall is under a support contract, if it is find out just how out of date the FW software is and update if required.
    If the unit has no support contract, ask for a budget to replace with a new unit with a support contract. Checkpoint, Cisco, Juniper, Sonicwall (in my order of preference).

    And finally
  • Accept that they will not value network security.
  • Accept that they will not be happy with increased security, but they will get used to it.
Click to expand...

Yup already gone through the rules, exported the list and highlighted "problem" rules and groups at the mo.

WSUS server going straight out with a ANY rule etc. Err that's going to be changed to go via the proxy and the service account locked to the relevant URLs. Internet surfing with the administrator and svc accounts appears to be common, so I'm going to be addressing that too.!

Email filtering kit in the DMZ is currently setup to query AD DNS servers which then go out to resolve the external addresses, not what I would have done.

I was originally going to provision a linux server as a non auth DNS and NTP purely for the internal LAN and create the firewall rules for this. I've recently changed the NTP setup as they were using ESX for time keeping (bad bad). So I've created a WMI query to assign a GPO based on what server has the PDC and that currently goes out to the internet. No I'm not planning on changing roles at the mo, even though AD is a mess. I've then created a NTP alias in DNS and have pointed various kit to this with a view of a linux server going in, but they are against this as they "can't" support linux. So if the linux server goes in the DNS alias record will be changed rather than changing all the bloody kit again.

I believe it's under support at the mo, but miles behind re updates, so I'll be addressing this. If I could choose what I wanted it'd be a juniper or sidewinder, but I doubt they'd go for that lol.

Got a very good mate who's pen testing the external firewall shortly and giving me the report, I'm expect him to find plenty of issues.
 
Located a ESX server that has two connections to the DMZ.

One via a physical NIC and the other via VLAN with the VM DMZ network using the same NICs as the other Internal VM Networks.

Going to get an install of Centos up and running and go from there. Need to also review what's in the DMZ and what it's talking to etc.

Located a DMZ NTP Rule.

ANY <> ANY - NTP service - that'll be changed!
 
SoundsGood said:
I know but why?
Click to expand...

More control, but at the expense of more complexity. It's not that unusual to use a transparent proxy just to keep an eye on what a WUS server is up to.

@Mikey
I'd still try for a replacement for the watchguard. I honestly do not know why people insist on buying Watchguard's for the money they would be better off buying Sonicwall kit.
 
You must log in or register to reply here.
Back
Top Bottom