I have recently got involved with trying to harden a FortiGate Firewall Appliance for PCI Compliance, below ar the steps I have taken to gain an acceptable level of compliance. This guide is by no means definitive and should be taken as a high level method of security. Obviously I accept no responsibility or liability for issues following the use of my config, you use this at your own peril!
- First step was to ensure I have a valid certificate securing both the admin access and SSLVPN elements of the firewall, in this instance I used GoDaddy for the certificate.
- Next I took steps to ensure we were only using the very latest version of TLS (1.2 at the time of writing) and I disabled the use of SSLv3 and enabled strong-crypto and the use of high algorithms
For Admin access:
config system global
set admin-https-banned-cipher rc4 low
set admin-https-redirect enable
set admin-https-ssl-versions tlsv1-2
set strong-crypto enable
For SSLVPN Access:
config vpn ssl settings
set sslv3 disable
set tlsv1-0 disable
set tlsv1-1 disable
set tlsv1-2 enable
set algorithm high
- Admin access was locked down to trusted hosts only and the default admin port was changed. The SSLVPN port was changed away from 443.
Depending on your PCI Compliance scanner of choice the SSLVPN may still fail as the method of scanning won’t be specifically looking for an SSLVPN service and unfortunately there is currently no means to fully disable the SSLVPN web portal which responds on 80 and 443 (unless you enabled https-redirects.
I would interested to hear from anyone else who has tried to secure a FortiGate for PCI purposes as I am sure there are further tweaks required.