Fortigate防火墙安全配置规范

Fortigate防火墙安全配置规范1.概述1.1. 目的本规范明确了Fortigate防火墙安全配置方面的基本要求。

为了提高Fortigate防火墙的安全性而提出的。

1.2. 范围本标准适用于 XXXX使用的Fortigate 60防火墙的整体安全配置，针对不同型号详细的配置操作可以和产品用户手册中的相关内容相对应。

2.设备基本设置2.1. 配置设备名称制定一个全网统一的名称规范，以便管理。

2.2. 配置设备时钟建议采用NTP server同步全网设备时钟。

如果没有时钟服务器，则手工设置，注意做HA的两台设备的时钟要一致。

2.3. 设置Admin口令缺省情况下，admin的口令为空，需要设置一个口令。

密码长度不少于8个字符，且密码复杂。

2.4. 设置LCD口令从设备前面板的LCD可以设置各接口IP地址、设备模式等。

需要设置口令，只允许管理员修改。

密码长度不少于8个字符，且密码复杂。

2.5. 用户管理用户管理部分实现的是对使用防火墙某些功能的需认证用户（如需用户认证激活的防火墙策略、IPSEC扩展认证等）的管理，注意和防火墙管理员用于区分。

用户可以直接在fortigate上添加，或者使用RADIUS、LDAP服务器上的用户数据库实现用户身份认证。

单个用户需要归并为用户组，防火墙策略、IPSEC扩展认证都是和用户组关联的。

2.6. 设备管理权限设置为每个设备接口设置访问权限，如下表所示：接口名称允许的访问方式Port1 Ping/HTTPS/SSH Port2 Ping/HTTPS/SSH Port3 Ping/HTTPS/SSH Port4 HA心跳线，不提供管理方式Port5 （保留）Port6 （保留）且只允许内网的可信主机管理Fortinet设备。

2.7. 管理会话超时管理会话空闲超时不要太长，缺省5分钟是合适的。

2.8. SNMP设置设置SNMP Community值和TrapHost的IP。

fortigate防火墙怎么样设置fortigate防火墙的设置好坏，会影响到我们电脑的安全，那么要怎么样去设置呢?下面由店铺给你做出详细的fortigate防火墙设置方法介绍!希望对你有帮助!fortigate防火墙设置方法一：近期经常有群友和坛友反映将FortiOS升级到4.0 MR2后经常出现资源利用率很高的情况，大家可以参考下面的一些建议;1，FortiGate设备应该有足够的资源应对攻击资源利用率最好不要超过65% get sys performance status 在65%到85%是正常的。

2，只开启用得着的管理服务如果不用SSH或SNMP，就不要启用,避免开放可用的端口.。

3，将用得最多或最重要的防火墙策略尽量靠前防火墙策略是至上而下执行的。

4，只开启那些必要的流量日志流量日志会降低系统性能。

5，只开启那些必须的应用层协议检查应用层检查对系统性能是敏感的。

6，最小化发送系统告警信息如果已经配置了syslog或FAZ日志,尽可能不要配置SNMP或Email告警。

7，AV/IPS特征库更新间隔为4或6小时并启用允许服务器推升级。

8，精简保护内容表数量。

9，删除不必要的保护内容表。

10，精简虚拟域数量删除不必要的虚拟域低端设备最好不要用虚拟域。

11，如果性能显示不足就避免启用流量整形流量整形将降低流量处理性能如何优化防火墙内存使用率1，尽量不启用内存日志2，尽量不启用不必要的AV扫描协议3，减小扫描病毒文件的上限值，大多数带病毒的文件文件都小于2、3M4，删除不用的DHCP服务5，取消不用的DNS转发服务6，如IPS不需要，执行命令节省内存 Diag ips global all status disable7，改变session的ttl值set default 300 [conf sys session-ttl]set tcp-halfclose-timer 30 [config sys global]set tcp-halfopen-timer 20 [conf sys global]8，改变fortiguard的ttl值set webfilter-cache-ttl [conf sys fortiguard ]set antispam-cache-ttl [conf sys fortiguard ]9，改变DNS缓存的条数set dns-cache-limit [conf sys dns]10，不启用DNS转发unset fwdintf [conf system dns]上面出现的命令可查看CLI文档中相关用法fortigate防火墙设置方法二：恢复飞塔(FortiGate)防火墙的出厂设置当我们不能登录飞塔(FortiGate)防火墙的管理界面时可以使用此方法，不过必须要知道管理密码。

Fortinet产品家族fortinet 的产品家族涵盖了完备的网络安全解决方案包括邮件，日志，报告，网络管理，安全性管理以及fortigate 统一安全性威胁管理系统的既有软件也有硬件设备的产品。

更多fortinet产品信息，详见/products.FortiGuard服务订制fortiguard 服务定制是全球fortinet安全专家团队建立,更新并管理的安全服务。

fortinet安全专家们确保最新的攻击在对您的资源损害或感染终端用户使用设备之前就能够被检测到并阻止。

fortiguard服务均以最新的安全技术构建，以最低的运行成本考虑设计。

fortiguard 服务订制包括：1、fortiguard 反病毒服务2、 fortiguard 入侵防护（ips）服务3、 fortiguard 网页过滤服务4、fortiguard 垃圾邮件过滤服务5、fortiguard premier伙伴服务并可获得在线病毒扫描与病毒信息查看服务。

FortiClientforticlient 主机安全软件为使用微软操作系统的桌面与便携电脑用户提供了安全的网络环境。

forticlient的功能包括：1、建立与远程网络的vpn连接2、病毒实时防护3、防止修改windows注册表4、病毒扫描forticlient还提供了无人值守的安装模式，管理员能够有效的将预先配置的forticlient分配到几个用户的计算机。

FortiMailfortimail安全信息平台针对邮件流量提供了强大且灵活的启发式扫描与报告功能。

fortimail 单元在检测与屏蔽恶意附件例如dcc（distributed checksum clearinghouse）与bayesian扫描方面具有可靠的高性能。

在fortinet卓越的fortios 与fortiasic技术的支持下，fortimail反病毒技术深入扩展到全部的内容检测功能，能够检测到最新的邮件威胁。

FortiOS™ 6.0Fortinet’s Network Operating SystemControl all the security and networking capabilities in all your Fortinet Security Fabric elements with one intuitive operating system. Improve your protection and visibility while reducing operating expenses and saving time with a truly consolidated next-generation enterprise firewall solution. FortiOS enables the Fortinet Security Fabric vision for enhancedprotection from IoT to Cloud.FortiOS is a security-hardened, purpose-built operating system that is the software foundation of FortiGate. Control all the security and networking capabilities in all your FortiGates across your entire network with one intuitive operating system. FortiOS offers anextensive feature set that enables organizations of all sizes to deploy the security gateway setup that best suits theirenvironments. As requirements evolve, you can modify them withminimal disruptions and cost.As companies look to transform everything from their business operating models to service delivery methods, they are adopting technologies such as mobile computing, IoT and multi-cloud networks to achieve business agility, automation, and scale. Theincreasing digital connectedness of organizations is driving the requirement for a security transformation, where security is integrated into applications, devices, and cloud networks to protect business data spread across these complex environments. FortiOS™ 6.0 delivers hundreds of new features and capabilities that were designed to provide the broad visibility, integrated threat intelligence, and automated response required for digital business. The Fortinet Security Fabric, empowered by FortiOS 6.0, is an intelligent framework designed for scalable, interconnected security combined with high awareness, actionable threat intelligence, and open API standards for maximum flexibility and integration to protect even the most demanding enterprise environments. Fortinet’s security technologies have earned the most independent certifications for security effectiveness and performance in the industry. The Fortinet Security Fabric closes gaps left by legacypoint products and platforms by providing the broad, powerful, and automated protection that today’s organizations require across their physical and virtual environments, from endpoint to the cloud.Introducing FortiOS 6.0FortiOS 6.0 AnatomyFEATURE HIGHLIGHTS System Integration§Standard-based monitoring output – SNMP Netflow/Sflow and Syslog support to external (third-party) SIEM and logging system§Security Fabric integration with Fortinet products and technology allianceCentral Management and Provisioning§Fortinet/third-party automation and portal services support via APIs and CLI scripts§Rapid deployment features including cloud-based provisioning solutions§Developer community platform and professional service options for complex integrationsCloud and SDN Integration §Multi-cloud support via integration with Openstack, VMware NSX, Nuage Virtualzed Services, and Cisco ACI infrastructure§NEW: Ease of configuration with GUI support and dyanamic address objectsconfident that your network is getting more secure over time.Fortinet offers the most integrated and automated Advanced Threat Protection (ATP) solution available today through an ATP framework that includes FortiGate, FortiSandbox, FortiMail, FortiClient, and FortiWeb. These products easily work together to provide closed loop protection across all of the most common attack vectors.FSA Dynamic Threat DB UpdateDetailed Status Report File Submission124AutomationStitches are new administrator-defined automated work flows that use if/then statements to cause FortiOS to automatically respond to an event in a pre-programmed way. Because stitches are part of the security fabric, you can set up stitches for any device in the Security Fabric.HIGHLIGHTSMonitoring§Real-time monitors§NOC Dashboard§NEW: IOS push notification via FortiExplorer app§Dashboard NOC view allows you to keep mission-critical information inview at all times. Interactive and drill-down widgets avoid dead-endsduring your investigations, keeping analysis moving quickly and smoothly. OperationFortiOS provides a broad set of operation tools that make identification and response to security and network issues effective. Security operations is further optimized with automations, which contribute to faster and more accurate problem resolutions.Policy and ControlFortiGate provides a valuable policy enforcement point in your network where you can control your network traffic and apply security technologies. With FortiOS, you can set consolidated policies that include granular security controls. Every security service is managed through a similar paradigm of control and can easily plug into a consolidated policy. Intuitive drag-and-drop controls allow you to easily create policies, and one-click navigation shortcuts allow you to more quickly quarantine end points or make policy edits.SecurityFortiGuard Labs provides the industry-leading security services and threat intelligence delivered through Fortinet solutions. FortiOS manages the broad range of FortiGuard services available for the FortiGate platform, including application control, intrusion prevention, web filtering, antivirus, advanced threat protection, SSL inspection, and mobile security. Service licenses are available a-la-carte or in a cost-effective bundle for maximum flexibility of deployment.Industry-leading security effectivenessFortinet solutions are consistently validated for industry-leading security effectiveness inindustry tests by NSS Labs for IPS and application control, by Virus Bulletin in the VB100comparative anti-malware industry tests, and by AV Comparatives.§Recommended Next Generation Firewall with near perfect, 99.47% securityeffectiveness rating. (2017 NSS Labs NGFW Test of FortiGate 600D & 3200D)§Recommended Breach Prevention Systems with 99% overall detection. (2017 NSSBreach Prevention Systems Test of FortiGate with FortiSandbox)§Recommended Data Center Security Gateway with 97.87% and 97.97% securityeffectiveness. (2017 NSS Data Center Security Gateway Test with FortiGate 7060Eand 3000D)§Recommended Next Generation IPS with 99.71% overall security effectiveness. (2017NSS Next Generation IPS Test with FortiGate 600D)§ICSA Certified network firewalls, network IPS, IPsec, SSL-TLS VPN, antivirus.NetworkingWith FortiOS you can manage your networking and security in one consistent native OS on the FortiGate. FortiOS delivers a wide range of networking capabilities, including extensive routing, NAT, switching, Wi-Fi, WAN, load balancing, and high availability, making the FortiGate a popular choice for organizations wanting to consolidate their networking and security functions.SD WANFortiGate SD-WAN integrates next generation WAN and security capabilities into a single, multi-path WAN edge solution. Secure SD-WAN makes edge application aware and keeps application performance high with built-in WAN path controller automation. With integrated NGFW, it is easier to enable direct interent access and continues to keep high security posture with reduced complexity.Platform SupportPerformanceThe FortiGate appliances deliver up to five timesthe next generation firewall performance and10 times the firewall performance of equivalentlypriced platforms from other vendors. The highperformance levels in the FortiGate are basedon a Parallel Path Processing architecture in FortiOS that leveragesperformance, optimized security engines, and custom developednetwork and content processors. Thus, FortiGate achieved thebest cost per Mbps performance value results.Ultimate deployment flexibilityProtect your entire network inside and out through a policy-drivennetwork segmentation strategy using the Fortinet solution. It is easyto deploy segment optimized firewalls, leveraging the wide range ofFortiGate platforms and the flexibility of FortiOS to protect internalnetwork segments, the network perimeter, distributed locations,public and private clouds, and the data center — ensuring youhave the right mix of capabilities and performance for eachdeployment mode.Virtual desktop option to isolate the SSL VPN session from the client computer’s desktop environment IPsec VPN:- Remote peer support: IPsec-compliant dialup clients, peers with static IP/dynamic DNS- Authentication method: Certificate, pre-shared key- IPsec Phase 1 mode: Aggressive and main (ID protection) mode- Peer acceptance options: Any ID, specific ID, ID in dialup user group EMAC-VLAN support: allow adding multiple Layer 2 addresses (or Ethernet MAC addresses) to a single physical interfaceVirtual Wire Pair:- Process traffic only between 2 assigned interfaces on the same network segment- Available on both transparent and NAT/route Mode- Option to implement wildcard VLANs setupGLOBAL HEADQUARTERS Fortinet Inc.899 KIFER ROAD Sunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein 06560 Valbonne FranceTel: +33.4.8987.0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6395.2788LATIN AMERICA SALES OFFICE Sawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430 Sunrise, FL 33323United StatesTel: +1.954.368.9990Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.FST -PROD-DS-FOS FOS-DAT-R6-201804RESOURCEURLThe FortiOS Handbook — The Complete Guide /fgt.html Fortinet Knowledge Base/Virtual Systems (FortiOS Virtual Domains) divide a single FortiGate unit into two or more virtual instances of FortiOS that function separately and can be managed independently.REFERENCESConfigurable virtual systems resource limiting and management such as maximum/guaranteed ‘active sessions’ and log disk quotaVDOM operating modes: NAT/Route or Transparent VDOM security inspection modes: Proxy or Flow-based Web Application Firewall:- Signature based, URL constraints and HTTP method policyServer load balancing: traffic can be distributed across multiple backend servers: - B ased on multiple methods including static (failover), round robin, weighted or based on round trip time, number of connections.- Supports HTTP , HTTPS, IMAPS, POP3S, SMTPS, SSL or generic TCP/UDP or IP protocols.- Session persistence is supported based on the SSL session ID or based on an injected HTTP cookie.NOTE: F eature set based on FortiOS V6.0 GA, some features may not apply to all models. For availability, please refer to Softwarefeature Matrix on 。

飞塔防火墙配置摘要：第一部分：办公网络及10兆共享配置信息：1.10兆共享外网接口ip地址：111.160.195.2 255.255.255.2482.与核心交换机接口ip地址：192.168.7.1 255.255.255.03.全公司上网通过10兆共享接口访问internet,做NAT复用地址转换4.Web服务器做负载均衡，需将防火墙2个端口划为一个网段5.将元易诚用户和供应商用户的VPN账号权限分开，根据用户来划分不同的网段。

元易诚用户网段：192.168.20.1-20 安全策略不限制富基供应商：192.168.30.1-10 只允许访问：192.168.1.251-254、192.168.1.19乐天供应商：192.168.40.1-10 只允许访问：192.168.1.144 192.168.9.1（web发布服务器）北方网供应商：192.168.50.1-10 192.168.8.1-3（两台web服务器做负责均衡）6.添加5条路由：第一条：192.168.1.0 0.0.0.255 192.168.7.2第二条：192.168.2.0 0.0.0.255 192.168.7.2第三条：192.168.5.0 0.0.0.255 192.168.7.2第四条：192.168.6.0 0.0.0.255 192.168.7.2第五条：0.0.0.0 0.0.0.0 111.160.195.17.外网接口屏蔽ping功能，启用病毒扫描保护8.做流量限制第二部分：银河购物中心与商管公司的网络数据信息1.购物中心商户网络接入部分分为四个部分：会员中心和服务台部分、商户pc机部分，pos机部分，信息发布部分。

其中会员中心和服务台部分与商管公司网络交互不做限制，商户pc机部分只允许访问指定的ftp服务器（192.168.1.19）.Pos和信息发布部分只允许访问erp数据库（192.168.1.254）.2.安防网过来的数据只可以访问192.168.2~6.0的网段第三部分: 10兆独享配置信息1.10兆独享外网接口ip地址：2.10兆独享接口与内网物业web服务器接口做NAT静态地址装换、并开启相应端口、如80803.10兆独享接口与内网web服务器接口做NAT静态地址转换、并开启相应端口、如：80端口4.10兆独享接口启用web安全防护功能，如：DoS攻击、SQL注入攻击功能等等5.外网接口屏蔽ping功能，启用病毒扫描保护。

fortigate使用手册FortiGate是一款功能强大的网络安全设备，可帮助企业保护其网络免受各种威胁和攻击。

本使用手册将引导您正确配置和使用FortiGate 设备，确保您的网络安全和数据的保护。

一、FortiGate设备简介FortiGate设备是一种集成了防火墙、入侵防御系统、虚拟专用网络等多种功能的网络安全设备。

它采用了先进的硬件和软件技术，能够提供高性能和可靠的安全解决方案。

FortiGate设备适用于各种规模的企业网络，从小型办公室到大型企业网络都可以使用。

二、FortiGate设备的安装与配置1. 设备安装在开始配置FortiGate设备之前，您需要确保设备已经正确安装在网络中。

将设备适配器插入电源插座，并将设备与网络交换机或路由器连接。

确保设备的电源和网络连接正常。

2. 监听设备在配置FortiGate设备之前，您需要确保您的计算机与设备处于同一网络中。

通过打开浏览器，在浏览器地址栏中输入设备的IP地址，如果一切正常，您将能够访问到设备的管理界面。

3. 初始配置初次登录设备管理界面时，您需要按照设备提供的引导进行初始配置。

设置管理员账户和密码，并进行基本网络设置，如IP地址、子网掩码、网关等。

此步骤将确保您能够正常访问设备并进行后续配置。

三、FortiGate设备的基本配置1. 接口配置FortiGate设备具有多个接口，用于与网络连接。

您需要为每个接口分配一个合适的IP地址，以确保设备能够与其他网络设备正常通信。

2. 防火墙策略配置防火墙策略是FortiGate设备的核心功能之一，它用于控制流经设备的网络流量。

您可以根据需求配置访问控制规则，允许或阻止特定的流量。

确保您的防火墙策略满足安全需求，并允许合法的网络通信。

3. 安全服务配置FortiGate设备提供了多种安全服务选项，如入侵防御系统、反病毒、反垃圾邮件等。

您可以根据需要启用这些服务，增强网络的安全性和保护能力。

四、FortiGate设备的高级配置1. 虚拟专用网络（VPN）配置FortiGate设备支持VPN功能，可实现安全的远程访问和分支之间的安全通信。