Re: Fortigate Firewall Setup SOP Draft 13 Mar 2023

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

From: Bagas Sanjaya <bagasdotme@gmail.com>
To: Turritopsis Dohrnii Teo En Ming <tdtemccnp@gmail.com>,
	netdev@vger.kernel.org
Cc: ceo@teo-en-ming-corp.com
Subject: Re: Fortigate Firewall Setup SOP Draft 13 Mar 2023
Date: Tue, 6 Jun 2023 21:03:29 +0700	[thread overview]
Message-ID: <ZH88scHrb1oT_J4E@debian.me> (raw)
In-Reply-To: <CAD3upLsLPF3nYdD1HHhqiweXt8zzOLKWpdPwuUKrccc1x33XBQ@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 4941 bytes --]

On Mon, Mar 13, 2023 at 09:40:57PM +0800, Turritopsis Dohrnii Teo En Ming wrote:
> 01. Register the brand new Fortigate firewall at https://support.fortinet.com

What is the relationship between Fortigate and native Linux firewall
(nftables)?

But hey, looks like LKML isn't the right forum for Fortinet products
(use that above support link instead).

> 
> 02. Key in the Contract Registration Code. This is very important.
> 
> 03. Upgrade firewall firmware to the latest version.
> 
> 04. Set hostname.
> XXX-FWXX
> 
> 05. Set regional date/time. Time zone is important.
> 
> 06. Enable admin disclaimer page.
> config system global
> set pre-login-banner enable
> 
> 07. Create firewall super-admin accounts.
> a. admin
> b. xx-admin
> c. si-company
> d. abctech
> 
> 08. Configure WAN1 interface.
> Most business broadband plans are using DHCP.
> 
> 09. Enable FTM / SNMP / SSH / HTTPS for WAN1 interface.
> 
> 10. Configure default static route.
> 
> 11. Configure LAN interface.
> Optional: DHCP Server
> 
> 12. Set DHCP lease time to 14400.
> 
> 13. Configure HTTPS port for firewall web admin to 64444.
> 
> 14. Configure SSL port for VPN to 443.
> 
> 15. Configure LDAP Server.
> 
> 16. Create Address Objects.
> 
> 17. Create Address Groups.
> 
> 18. Configure firewall policies for LAN to WAN (outgoing internet access).
> 
> 19. Configure and apply security profiles to above firewall policies.
> 
> 20. Create Virtual IPs.
> 
> 21. Create custom services.
> 
> 22. Create service groups.
> 
> 23. Create firewall policies for port forwarding (WAN to LAN).
> 
> 24. Configure other firewall policies.
> 
> 25. Disable FortiCloud auto-join.
> config system fortiguard
> set auto-join-forticloud disable
> end
> 
> 26. Configure FTM Push.
> config system ftm-push
> set server-port 4433
> set server x.x.x.x (WAN1 public address)
> set status enable
> 
> 27. Remove existing firewall/router and connect brand new Fortigate
> firewall to the internet.
> 
> 28. Configure FortiGuard DDNS.
> xxx-fw.fortiddns.com
> 
> 29. Configure DNS.
> 
> 30. Activate FortiToken.
> 
> 31. Create SSL VPN Group.
> 
> 32. Create SSL VPN Users (local or LDAP).
> 
> 33. Configure 2FA for SSL VPN Users.
> 
> 34. Create SSL-VPN Portals.
> 
> 35. Configure SSL VPN Settings (split or full tunneling).
> 
> 36. Configure firewall policies for SSL VPN to LAN.
> Optionally configure firewall policies for SSL VPN to WAN (if full tunneling).
> 
> 37. Configure C-NetMOS Network Monitoring Service.
> configure log syslogd setting
> set status enable
> set server "a.b.c.d"
> set mode legacy-reliable
> set port 601
> set facility auth
> end
> 
> 38. Apply hardening steps (Systems Integrator's Internal Document).
> 
> 39. Convert SOHO wireless router to access point mode.
> 
> 40. Configure and apply security profiles (REMINDER).
> 
> Testing
> =======
> 
> 1. Internet access for all users.
> 
> 2. VPN connection using FortiToken.
> 
> Documentation
> ==============
> 
> Firewall documentation for administrator (settings / policies / VPN).
> 
> User Training
> ==============
> 
> A. For Administrator
> ====================
> 
> 1. How to access Fortigate firewall URL.
> 
> 2. How to add/remove/reassign FortiToken.
> 
> 3. How to add/remove VPN users.
> 
> 4. How to generate usage report for Government PSG Grant.
> 
> B. For End User
> ================
> 
> 1. How to connect to VPN.
> 
> 2. How to use FortiToken.
> 
> 3. How to connect company laptop to VPN.
> 
> ===EOF===

As Linus has said, "Talk is cheap. Show me the code." - show me the full
HOWTO (on your blog since LKML isn't the appropriate forum for this kind
of content).

<rant>
	The parallel to this that many orgs by convention only upload quick
	highlights (for sports matches) or trailers (for movies) to
	YouTube and leave the full details to streaming services (which
	are often priced in charm prices). Some third-party users made
	the full resources available for free on YouTube (but with risk
	of copyright wild west).

	Another way: Suppose that I'm a WSJ writer and post my cool
	stories into its website. Anonymous users can only see few posts
	(including mine) per month and then they had to pay some bucks
	to view the rest (think of paywall). A developer here at LKML
	refer to my WSJ story without knowing this fact. Do others have
	to read mine there for the sake of completeness? Many prefer freely
	accessible version instead, so I may have to be forced to release
	my story to my personal site.
</rant>

> 
> 
> 
> 
> REFERENCES
> ===========
> 
> [1] https://pastebin.com/raw/yg0QUcv6
> [2] https://controlc.com/85e667fb

I see both references and these are all the exact copy of your post.

Thanks anyway.

-- 
An old man doll... just what I always wanted! - Clara

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

     prev parent reply	other threads:[~2023-06-06 14:03 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-13 13:40 Fortigate Firewall Setup SOP Draft 13 Mar 2023 Turritopsis Dohrnii Teo En Ming
2023-06-06 14:03 ` Bagas Sanjaya [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZH88scHrb1oT_J4E@debian.me \
    --to=bagasdotme@gmail.com \
    --cc=ceo@teo-en-ming-corp.com \
    --cc=netdev@vger.kernel.org \
    --cc=tdtemccnp@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.