DISA Fortigate Firewall STIG v1r1

Audit Details

Name: DISA Fortigate Firewall STIG v1r1

Updated: 7/27/2022

Authority: DISA STIG

Plugin: FortiGate

Revision: 1.0

Estimated Item Count: 39

File Details

Filename: DISA_STIG_Fortigate_Firewall_v1r1.audit

Size: 103 kB

MD5: 731450bb4a786e3c822cf83cdc65b257
SHA256: aabcb957c8b692fad677f7b8c3c06e0eac968573e8adecdb747d3493bc504a4f

Audit Items

DescriptionCategories
FNFG-FW-000015 - The FortiGate firewall must use organization-defined filtering rules that apply to the monitoring of remote access traffic for the traffic from the VPN access points.

ACCESS CONTROL

FNFG-FW-000020 - The FortiGate firewall must generate traffic log entries containing information to establish what type of events occurred.

AUDIT AND ACCOUNTABILITY

FNFG-FW-000025 - The FortiGate firewall must generate traffic log entries containing information to establish when (date and time) the events occurred.

AUDIT AND ACCOUNTABILITY

FNFG-FW-000030 - The FortiGate firewall must generate traffic log entries containing information to establish the network location where the events occurred.

AUDIT AND ACCOUNTABILITY

FNFG-FW-000035 - The FortiGate firewall must generate traffic log entries containing information to establish the source of the events, such as the source IP address at a minimum.

AUDIT AND ACCOUNTABILITY

FNFG-FW-000040 - The FortiGate firewall must generate traffic log entries containing information to establish the outcome of the events, such as, at a minimum, the success or failure of the application of the firewall rule.

AUDIT AND ACCOUNTABILITY

FNFG-FW-000045 - In the event that communication with the central audit server is lost, the FortiGate firewall must continue to queue traffic log records locally. - disk status|diskfull

AUDIT AND ACCOUNTABILITY

FNFG-FW-000045 - In the event that communication with the central audit server is lost, the FortiGate firewall must continue to queue traffic log records locally. - fortianalyzer|syslogd server

AUDIT AND ACCOUNTABILITY

FNFG-FW-000050 - The FortiGate firewall must protect traffic log records from unauthorized access while in transit to the central audit server. - enc-algorithm

AUDIT AND ACCOUNTABILITY

FNFG-FW-000050 - The FortiGate firewall must protect traffic log records from unauthorized access while in transit to the central audit server. - set certificate

AUDIT AND ACCOUNTABILITY

FNFG-FW-000050 - The FortiGate firewall must protect traffic log records from unauthorized access while in transit to the central audit server. - set mode

AUDIT AND ACCOUNTABILITY

FNFG-FW-000050 - The FortiGate firewall must protect traffic log records from unauthorized access while in transit to the central audit server. - set server

AUDIT AND ACCOUNTABILITY

FNFG-FW-000055 - The FortiGate firewall must protect the traffic log from unauthorized modification of local log records.

AUDIT AND ACCOUNTABILITY

FNFG-FW-000060 - The FortiGate firewall must protect the traffic log from unauthorized deletion of local log files and log records.

AUDIT AND ACCOUNTABILITY

FNFG-FW-000065 - The FortiGate firewall must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.

CONFIGURATION MANAGEMENT

FNFG-FW-000070 - The FortiGate firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.

SYSTEM AND COMMUNICATIONS PROTECTION

FNFG-FW-000075 - The FortiGate firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

SYSTEM AND COMMUNICATIONS PROTECTION

FNFG-FW-000085 - The FortiGate firewall must filter traffic destined to the internal enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL), Vulnerability Assessments (VAs) for that the enclave. - policy

SYSTEM AND COMMUNICATIONS PROTECTION

FNFG-FW-000085 - The FortiGate firewall must filter traffic destined to the internal enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL), Vulnerability Assessments (VAs) for that the enclave. - policy6

SYSTEM AND COMMUNICATIONS PROTECTION

FNFG-FW-000090 - The FortiGate firewall must fail to a secure state if the firewall filtering functions fail unexpectedly. - av-failopen

SYSTEM AND COMMUNICATIONS PROTECTION

FNFG-FW-000090 - The FortiGate firewall must fail to a secure state if the firewall filtering functions fail unexpectedly. - av-failopen-session

SYSTEM AND COMMUNICATIONS PROTECTION

FNFG-FW-000090 - The FortiGate firewall must fail to a secure state if the firewall filtering functions fail unexpectedly. - fail-open

SYSTEM AND COMMUNICATIONS PROTECTION

FNFG-FW-000100 - The FortiGate firewall must send traffic log entries to a central audit server for management and configuration of the traffic log entries. - fortianalyzer status

AUDIT AND ACCOUNTABILITY

FNFG-FW-000100 - The FortiGate firewall must send traffic log entries to a central audit server for management and configuration of the traffic log entries. - syslogd status

AUDIT AND ACCOUNTABILITY

FNFG-FW-000105 - If communication with the central audit server is lost, the FortiGate firewall must generate a real-time alert to, at a minimum, the SCA and ISSO.

AUDIT AND ACCOUNTABILITY

FNFG-FW-000110 - The FortiGate firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.

SYSTEM AND COMMUNICATIONS PROTECTION

FNFG-FW-000115 - The FortiGate firewall must apply ingress filters to traffic that is inbound to the network through any active external interface.

SYSTEM AND COMMUNICATIONS PROTECTION

FNFG-FW-000120 - The FortiGate firewall must apply egress filters to traffic outbound from the network through any internal interface.

SYSTEM AND COMMUNICATIONS PROTECTION

FNFG-FW-000125 - When employed as a premise firewall, FortiGate must block all outbound management traffic.

SYSTEM AND COMMUNICATIONS PROTECTION

FNFG-FW-000130 - The FortiGate firewall must restrict traffic entering the VPN tunnels to the management network to only the authorized management packets based on destination address.

SYSTEM AND COMMUNICATIONS PROTECTION

FNFG-FW-000135 - The FortiGate firewall must be configured to inspect all inbound and outbound traffic at the application layer.

CONFIGURATION MANAGEMENT

FNFG-FW-000145 - The FortiGate firewall must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).

CONFIGURATION MANAGEMENT

FNFG-FW-000150 - The FortiGate firewall must generate an alert that can be forwarded to, at a minimum, the Information System Security Officer (ISSO) and Information System Security Manager (ISSM) when denial-of-service (DoS) incidents are detected. - enc-algorithm

SYSTEM AND INFORMATION INTEGRITY

FNFG-FW-000150 - The FortiGate firewall must generate an alert that can be forwarded to, at a minimum, the Information System Security Officer (ISSO) and Information System Security Manager (ISSM) when denial-of-service (DoS) incidents are detected. - set certificate

SYSTEM AND INFORMATION INTEGRITY

FNFG-FW-000150 - The FortiGate firewall must generate an alert that can be forwarded to, at a minimum, the Information System Security Officer (ISSO) and Information System Security Manager (ISSM) when denial-of-service (DoS) incidents are detected. - set mode

SYSTEM AND INFORMATION INTEGRITY

FNFG-FW-000150 - The FortiGate firewall must generate an alert that can be forwarded to, at a minimum, the Information System Security Officer (ISSO) and Information System Security Manager (ISSM) when denial-of-service (DoS) incidents are detected. - set server

SYSTEM AND INFORMATION INTEGRITY

FNFG-FW-000155 - The FortiGate firewall must allow authorized users to record a packet-capture-based IP, traffic type (TCP, UDP, or ICMP), or protocol.

AUDIT AND ACCOUNTABILITY

FNFG-FW-000160 - The FortiGate firewall must generate traffic log records when traffic is denied, restricted, or discarded.

AUDIT AND ACCOUNTABILITY

FNFG-FW-000165 - The FortiGate firewall must generate traffic log records when attempts are made to send packets between security zones that are not authorized to communicate.

AUDIT AND ACCOUNTABILITY