FNFG-FW-000130 - The FortiGate firewall must restrict traffic entering the VPN tunnels to the management network to only the authorized management packets based on destination address.

Information

Protect the management network with a filtering firewall configured to block unauthorized traffic. This requirement is similar to the out-of-band management (OOBM) model, in which the production network is managed in-band. The management network could also be housed at a Network Operations Center (NOC) that is located locally or remotely at a single or multiple interconnected sites.

NOC interconnectivity, as well as connectivity between the NOC and the managed networks' premise routers, would be enabled using either provisioned circuits or VPN technologies such as IPsec tunnels or MPLS VPN services.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Log in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.

1. Click Policy and Objects.
2. Click IPv4 or IPv6 Policy.
3. Click +Create New.
4. Name the policy.
5. For the Incoming Interface, select the tunnel from which a host is connecting to the management network.
6. For the Outgoing Interface, select the interface connected to the management network.
7. For the Source, select the address object or group of authorized management hosts.
8. For the Destination, select assets in the management network, and approved Network Services.
9. Configure the Policy Action to Accept.
10. Ensure Enable this policy is toggled to right.
11. Click OK.

Repeat these steps for each Management Network host and associated Service.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_FN_FortiGate_Firewall_STIG.zip

Item Details

References: CAT|II, CCI|CCI-002403, Rule-ID|SV-234155r628776_rule, STIG-ID|FNFG-FW-000130, Vuln-ID|V-234155

Plugin: FortiGate

Control ID: a7ea20f125f81409e8c7a9fe2c074ea1a4ea6f2c8249e079f15af13049d35525