Hardening FortiGates for PCI Compliance

I have recently got involved with trying to harden a FortiGate Firewall Appliance for PCI Compliance, below ar the steps I have taken to gain an acceptable level of compliance. This guide is by no means definitive and should be taken as a high level method of security. Obviously I accept no responsibility or liability for issues following the use of my config, you use this at your own peril!

  • First step was to ensure I have a valid certificate securing both the admin access and SSLVPN elements of the firewall, in this instance I used GoDaddy for the certificate.
  • Next I took steps to ensure we were only using the very latest version of TLS (1.2 at the time of writing) and I disabled the use of SSLv3 and enabled strong-crypto and the use of high algorithms

For Admin access:

config system global
set admin-https-banned-cipher rc4 low
set admin-https-redirect enable
set admin-https-ssl-versions tlsv1-2
set strong-crypto enable

For SSLVPN Access:

config vpn ssl settings
set sslv3 disable
set tlsv1-0 disable
set tlsv1-1 disable
set tlsv1-2 enable
set algorithm high

  • Admin access was locked down to trusted hosts only and the default admin port was changed. The SSLVPN port was changed away from 443.

Depending on your PCI Compliance scanner of choice the SSLVPN may still fail as the method of scanning won’t be specifically looking for an SSLVPN service and unfortunately there is currently no means to fully disable the SSLVPN web portal which responds on 80 and 443 (unless you enabled https-redirects.

I would interested to hear from anyone else who has tried to secure a FortiGate for PCI purposes as I am sure there are further tweaks required.

About Will Curtis 10 Articles
Network Engineer, Productivity Geek, Pretend Photographer & Lego Fanatic. Even heroes have a day job! Networks & telecom engineer with 16 years experience in the IT/Comms industry. Passionate about productivity and GTD methodologies. Amateur [Photo|Video]grapher & dreamer. Apple fan. Dad.

Be the first to comment

Leave a Reply

Your email address will not be published.


*