27 Firewall Auditing Tips you need to know
My Fortigate firewall https://amzn.to/3phfikH does a great job in protecting our office, very easy to manage, and with tons of next-generation features as application control, IPS, web filter, and more.
But that’s just the beginning of managing a firewall, you need to audit it from time to time, and by doing so, you will eliminate attack/vulnerability vectors that may cause you damage.
So here are my best 27 auditing tips and at the end, you will also find my 10 best practices, youtube video
- Physically secure your Firewall ( make sure it is sealed in a secure place, with authorized access only ). physical security measures should be treated equally as any other security procedure in your office
- Double Check the management protocols- HTTPS for managing the graphical user interface of your firewall and ssh for connecting through the CLI. those 2 protocols should be the only one allowed, unless, you need other protocols for specific purposes as connecting to other platforms
- Use admin trusted host — always use trusted IP addresses, as your home IP address and your office. those trusted IP’s will be the only addresses allowed for admin management access
- Check your admin lockout time — the higher the lockout threshold, the higher the risk that someone may be able to break into your firewall
- Unused rules — probably one of the very first things you need to do, check for unused rules that were asked a time ago, but now they are not relevant. they can also be a backdoor if there is no need for them anymore
- Rules documentation — make sure that everything is documented: who asked for a specific rule, when, how is your topology designed …
- Keep copies of your security policies
- Save revisions — when you backup your firewall, make sure that you keep revisions of the old configurations, just in case you will need them, later on, or in case that you need to recover the old configuration
- Check that you have access to all of your firewall logs. logs are crucial to your security and stability in your organization, treat them with respect and be sure that you have access to them 24 hours
- Be sure to have at least logs from one week ago, if possible ( it depends on your logs machine storage ) 30 days is preferred
- Gain a diagram of the current network. it will always be handy and will allow you to troubleshoot issues quicker
- Document previous Audits
- Review documentation from previous audits.
- Make sure that you Identify all relevant ISPs and VPNs. you may be surprised to learn, that you have connections that are irrelevant or even suspicious
- SSL encryption algorithms — config VPN SSL settings — are you using the strongest algorithms? it is a good practice to use the highest cipher algorithm as long as the other side supports them
- IPsec encryption and hash algorithms — again use the strongest ( if possible )
- Disable ping in your LAN GW interfaces
- Disable DHCP in your DMZ interfaces
- Disable DHCP in your WAN interfaces
- Who asked for specific rules? make a copy of each request
- Who authorized them? Make a copy of that also
- Don't use ANY in policies
- Specific rules at the top — general down — that is the Basics of configuring firewalls, be sure to check that also
- Delete or disable unused firewall objects
- Remove unused connections
- If you have FTP as a requirement, ensure that the server is placed in a different subnet than the internal protected network.
- Distributed firewalls — Ensure that you have internal firewalls protecting segments in your organization
My Fortigate Admin Pocket Guide Book https://amzn.to/3brDX1t
You can subscribe to my channel at youtube.com/fortitip or join my FortiGate courses at https://www.udemy.com/course/fortigate-admin-crash-course/?referralCode=0B534DCF7A6D8BD3417E