Introduction
The recent 0-day vulnerability in FortiManager has highlighted the critical need for zero-trust principles, particularly in FortiGate-to-FortiManager communications. This solution is designed to restrict FortiManager access solely to trusted FortiGates, especially relevant for environments with a large install base or where many FortiGates rely on dynamic IP addressing.
Challenges with Dynamic Connections
Organisations managing SD-WAN environments with numerous FortiGates connected through dynamic IP addresses face a significant challenge: FortiManager must be accessible from the internet only to authorised FortiGates. While a small-scale solution might involve Dynamic DNS (DDNS) on FortiGates, allowing them to be allowlisted by a DDNS group in the data center firewall, such an approach requires frequent manual updates, making it unsustainable for larger environments.
Solution Overview
Our solution integrates the Automation feature on the managed FortiGates with three AWS components—API Gateway, Lambda functions, and S3—and the Threat Feed feature on the data center FortiGate. This setup enables dynamic IP address updates while enforcing zero-trust principles.
Here's an outline of the solution:
1. Automation on FortiGates Accessing FortiManager via Internet
Each FortiGate uses a scheduled automation process to retrieve its IP address and submit it to the API Gateway via an outgoing webhook, automating the dynamic IP updates.
2. API Gateway
- PATCH Request: Secured with an API key, this request updates the FortiGate IP in the allowlist.
- GET Request: Restricted to specific IPs, allowing only the data center firewall to retrieve the IP allowlist.
3. Lambda Function
- Processes requests through API Gateway, validating IPs to prevent duplicates before updating the allowlist in S3.
4. S3 Bucket
- Stores the IP allowlist securely, accessible by the data center firewall and other authorised systems.
5. Threat Feed on Data center Firewall Protecting FortiManager
- The data center FortiGate protecting FortiManager retrieves the FMG allowlist as a threat feed (what's in a name?), ensuring controlled access through a firewall policy.
Triggers and Actions
- Trigger: Automation occurs every hour or is alternatively triggered by events such as a new DHCP lease or SD-WAN member status change.
- Actions:
- Retrieve Own IP Address
- The automation retrieves the FortiGate’s IP, using an external service to format it for the webhook update.
- Update FMG Allowlist - Publicly Managed FortiGates
- The IP is then sent to the allowlist via a PATCH request to the API Gateway endpoint, ensuring the correct format and avoiding duplication.
- Fetch FMG Allowlist - Data center FortiGate
- The data center FortiGate protecting FortiManager fetches the FMG allowlist as a threat feed.
- Retrieve Own IP Address
Implementation Details
A high-level overview of key configurations includes:
- FortiGate Automation Setup: Configurations for retrieving the IP and updating the feed to maintain FortiGate’s secure connection to FortiManager.
- API Gateway Configuration: Secured PATCH and GET requests with API key for PATCH and IP allowlisting for GET requests.
- Lambda Function: Code for IP extraction, duplication checks, and updates to S3 (included in the appendix for further customisation).
Security and Cost Considerations
- Resource Policy for API Gateway: Restrict GET requests to your data center Firewall IP addresses.
- Rate Limiting API Requests: Limits on PATCH requests help prevent high costs from excessive API traffic.
- Limit Outgoing Traffic for FortiManager: FortiManager does not require full internet access. Restrict access only to essential resources using the Internet Services DB. FortiManager needs access to
Fortinet-FortiGuardandFortinet-Web. - Remove FGFM access from all FortiGate interfaces: This service is vulnerable in older versions of FortiOS. Note: This prevents FortiGate discovery from FortiManager
Conclusion and Recommendations
This zero-trust solution offers a scalable, automated approach to securing FortiManager, even when FortiGates rely on dynamic IP addresses. Implementing API Gateway, Lambda, and S3 in AWS allows organisations to automate IP allowlisting.
Note: Zero-Touch Provisioning will only work if new FortiGates connect from an IP address already present in the allowlist.
For organisations that need assistance implementing this solution, contact us for professional support in enhancing FortiManager security with zero-trust principles.