FNFG-FW-000125 - When employed as a premise firewall, FortiGate must block all outbound management traffic.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The management network must still have its own subnet in order to enforce control and access boundaries provided by layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic.

Safeguards must be implemented to ensure the management traffic does not leak past the managed network's premise equipment. If a firewall is located behind the premise router, all management traffic must be blocked at that point, with the exception of management traffic destined to premise equipment.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Log in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.

1. Click Policy and Objects.
2. Click IPv4 or IPv6 Policy.
3. Click +Create New.
4. Name the policy.
5. For the Incoming Interface, select the interface related to the Management Network.
6. For the Outgoing Interface, select an EGRESS interface.
7. For the Source, select the Management Network IP range.
8. For the Destination and Service, select ALL.
9. Configure the Policy Action to DENY.
10. Ensure the Enable this policy is toggled to right.
11. Click OK.

Repeat these steps for each EGRESS interface.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_FN_FortiGate_Firewall_STIG.zip

Item Details

References: CAT|II, CCI|CCI-002403, Rule-ID|SV-234154r628776_rule, STIG-ID|FNFG-FW-000125, Vuln-ID|V-234154

Plugin: FortiGate

Control ID: 2210d62c86cff7476b63c6d74ca6ceacb0edcc22cea2a39617b6aa6d09795fc6