Logo
  1. Home
  2. Blog
  3. Firewall Best Practices
  4. FortiGate Firewalls Checklist: Best Practices and Customizations

Last updated August 1st, 2024 by Erez Tadmor

FortiGate Next-Generation Firewalls (NGFWs) enable organizations to increase network security, speed, efficiency, and scale. To protect your internal networks and improve network security, Fortinet FortiGate firewalls offer basic and advanced Zero Trust Network Access (ZTNA) configurations.  

While you chose Fortinet because it provides advanced capabilities and customizations, the sheer number of options can become overwhelming. When implementing your Fortinet deployment, you can use this FortiGate firewall checklist to understand basic configuration options and various capabilities.  

Basic Firewall Configurations  

Your initial configurations enable you to secure the FortiGate firewall from external risks. Your basic configurations should include: 

  • Using NAT mode for operating mode to mitigate risks that malicious actors will identify IP addresses of LAN and DMZ resources 
  • Loading required firmware  
  • Creating an appropriate hostname for use in CLI prompt, including SNMP system name and device name in HA config 
  • Using NTP or PTP server system time as system time 
  • Creating a unique, complex administrative password 
  • Configuring management interface’s IP address, subnet mask, and access service, like HTTPS or SSH 

DNS Filter 

With FortiGate firewall DNS filtering, you can use default or create custom rules for managing network user access and applying it to a firewall policy. On a firewall policy, a DNS filter takes precedence over a web filter. 

Some Fortinet DNS filter settings include: 

  • FortiGuard filtering 
  • Botnet Command and Control (C&C) domain blocking 
  • DNS safe search 
  • External dynamic category domain filtering  
  • External IP address block list 
  • DNS translation  

Daily Operations 

Managing day-to-day operations means monitoring for performance and config changes.  

Config Changes

You should implement a change management procedure that: 

  • Ensures all involved parties know about the change and provide input 
  • Defines change and its objective 
  • Identifies the security policy’s purpose and documents responsible party, creation date, expiration date, and affect services, applications, users, and devices 
  • Defines contingency plan 
  • Creates current config backup 
  • Prepares workflow 
  • Schedules maintenance window for testing and validating changes 
  • Audits and documents completed work, including a backup of new config 

Performance monitoring 

You can use any of the following protocols for monitoring resource utilization: 

  • SNMP 
  • NetFlow 
  • sFlow 

If you use SNMP polling or traps to report performance, you should ensure that you have resource utilization baselines to help with: 

  • IP signature rates 
  • Abnormal activity indicating a potential attack 
  • Bandwidth comparisons over time 
  • WAN and SD-WAN bandwidth for traffic shaping 
  • Security profile tuning 

Remote Access 

FortiGate firewalls offer several network security options for remote access across your distributed workforce.  

SSL VPN 

You can deploy the SSL VPN in: 

  • Tunnel mode: SSL VPN encrypts remote client computer’s traffic, sending it to FortiGate through an SSL VPN tunnel of HTTPS link. 
  • Web mode: Clientless network access via web browser with built-in SSL encryption 

IPsec VPN 

Using the Internet Protocol Security (IPsec) protocol, IPsec VPN creates encrypted tunnels at the network layer, running on top of the IP protocol that routes packets.  

You can use IPsec VPN to create various network topologies. When creating your VPN security policies, you should: 

  • Define policy addresses for the private network IP address behind the remote VPN peer 
  • Determine whether you want policy-based or route-based VPN which determines the security policy requirements 

For policy-based VPN, you can usually create a single IPsec policy controlling inbound and outbound traffic. Some policy considerations include: 

  • Specifying the IP addresses that can initiate a tunnel 
  • Defining inbound and outbound NAT options for security policies by setting them through the CLI 
  • Configuring IPsec policies for each network 
  • Ensuring that IPsec policies are at the top of the list and ordered so that FortiGate firewall can apply specific constraints before general constraints 

Route-based VPN 

With this VPN, you design accept policies to manage traffic between the IPsec and private network interfaces. 

Some security policy configurations for the ACCEPT policies include: 

  • Name: security policy name 
  • Incoming interface: Interface connecting to VPN behind the FortiGate  
  • Outgoing interface: configured IPsec interface 
  • Source: address name for private network 

Some security policy configurations needed for the remote client to initiate communication include: 

  • Name: security policy name 
  • Incoming interface: Configured IPsec interface 
  • Outgoing interface: Interface connected to private network 
  • Source: Private network address behind remote peer 
  • Destination: address for private network  

User and Authentication 

FortiGate firewalls allow you to assign people to user groups so that you can apply the principle of least privilege and reduce unauthorized access risks.  

Fortinet’s firewalls provide diverse options for setting authentication controls: 

  • FortiOS: Defining the local account username/password and peer users stored on FortiGate  
  • LDAP server: Using LDAP connection to Active Directory so you can count and display the active users per Active Directory LDAP group in the Firewall Users widget and the CLI 
  • Remote Authentication and Dial-In User Service (RADIUS): Centralizing authentication, authorization, and accounting functions for access to networks, like VPN server or switches that use authentication 
  • SAML: Allowing Single Sign-On (SSO) for FortiGate firewall authentication, authorizing user access to the SSL VPN and other applications 

Ease Fortinet FortiGate Management with Tufin 

Tufin integrates with Fortinet’s FortiManager and FortiGate so you can centrally manage your complex network. Our Unified Security Policies (USP) and automated network access workflows enable you to maintain consistency across multiple firewall vendors, including Palo Alto, Checkpoint, and Cisco Meraki 

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

Ready to Learn More

Get a Demo

In this post:

Background Image