Saturday, September 27, 2014

Fortigate Best Comon Practices

In  this post we will look at fortinet own published bcp document.

At the time of this post Aug-6-2014 is the most updated. It's a very well written doc that commons normal to advance  subjects  from;
  •  management 
  •  firewall policies
  •  vdom
  •  vpn
  •  advance routing 
One of the most common detail missed suggestions  for  HA &  VPN that I would like to highlight;

"Use a non-NPU interface for at least one heartbeat interface to rule out potential NPU"

"Add blackhole routes for subnets reachable using VPN tunnels. This ensures that if a VPN tunnel goes down, traffic is not mistakingly routed to the Internet unencrypted"

 NOTE: always try to use a lower performing port for HA operations.

Firmware updates are most, so stay up to date & so you an take advantage of new features. I always try to obtain a copy of original software that I'm running b4 any firmware updates in case I need to format the flash.

Perform routine backups b4 any major changes, updates or firewall resets.
Try to avoid "any" in firewpolicies for interfaces or services unless that what you intended.

Review the fortinet bcp document and use what's applicable in your design & operations.

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment