[PDF] Firewall | Fortinet

McKinney, Ryan Andrew

Firewall

ICSA Labs | Fortinet

[PDF] Firewall | Fortinet

FortiGate 60F 3G/4G-Rugged FortiGate/FortiWifi 61E. FortiGate 80F/81F. FortiGate 81E/FortiWifi 81E-POE. FortiGate 90D-Rugged. FortiGate/FortiWifi 91E.

Google Docs
Google Drive
Download [pdf]

File Info : application/pdf, 10 Pages, 688.96KB

isca-labs-Fortinet-600D-Firewall-Report

Firewall
Certification Testing Report
Fortinet, Inc. Fortinet Consolidated Security Platforms
Tested against these standards ICSA Labs Firewall Certification Criteria Baseline Module Version 4.2 ICSA Labs Firewall Certification Criteria Corporate Module Version 4.2
October 12, 2020
Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200
Mechanicsburg, PA 17050 www.icsalabs.com

Fortinet Inc. Fortinet Consolidated Security Platforms Firewall Certification Testing Report
Table of Contents
Executive Summary ................................................................................................................1 Introduction .........................................................................................................................1 Summary of Findings ..........................................................................................................1 Product Overview ................................................................................................................1 Scope of Assessment..........................................................................................................1 Continuous Deployment and Spot Checks ..........................................................................1
Tested Firewall Product Components......................................................................................2 Hardware ............................................................................................................................2 Software ..............................................................................................................................2 Documentation ....................................................................................................................2 Product Family Members.....................................................................................................2
Installation and Configuration ..................................................................................................3 Required Services Security Policy Transition ..........................................................................4
Expectation .........................................................................................................................4 Results ................................................................................................................................4 Logging ...................................................................................................................................5 Expectation .........................................................................................................................5 Results ................................................................................................................................5 Administration .........................................................................................................................5 Expectation .........................................................................................................................5 Results ................................................................................................................................5 Persistence .............................................................................................................................6 Expectation .........................................................................................................................6 Results ................................................................................................................................6 Documentation ........................................................................................................................6 Expectation .........................................................................................................................6 Results ................................................................................................................................6 Functional and Security Testing ..............................................................................................6 Expectation .........................................................................................................................6 Results ................................................................................................................................7 Criteria Violations and Resolutions..........................................................................................7 Introduction .........................................................................................................................7 Results ................................................................................................................................7 ICSA Labs Certified Firewalls..................................................................................................7 Authority .................................................................................................................................. 8

Page i of i

Fortinet Inc. Fortinet Consolidated Security Platforms Firewall Certification Testing Report

Executive Summary
Introduction
The goal of ICSA Labs certification testing is to increase user and enterprise trust in information security products and solutions. For nearly 30 years, ICSA Labs, an independent division of Verizon, has been providing credible, independent, 3rd-party security product testing and certification for many of the world's top security product developers and service providers. Enterprises worldwide rely on ICSA Labs to set and apply objective testing and certification criteria measuring product security, compliance and performance.
Summary of Findings
Following rigorous firewall security testing at ICSA Labs, the FortiGate VM04 satisfied all of the security testing requirements in both the ICSA Labs baseline firewall and ICSA Labs corporate firewall testing standards. As a result, both the FortiGate VM04 and the entire Fortinet Consolidated Security Platforms family of products retained ICSA Labs Firewall Certification having met all of the testing requirements.

Product Overview

With models ranging from those suited for small businesses to models designed for large enterprises, service providers and carriers, FortiGate Consolidated Security Platforms combine the FortiOSTM security operating system with FortiASIC processors and other hardware to provide a comprehensive and high-performance array of security and networking functions
FortiGate Consolidated Security Platforms provide costeffective, comprehensive protection against network, content, and application-level threats - including complex attacks favored by cybercriminals - without degrading network availability and uptime. FortiGate platforms incorporate sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain capabilities to separate various networks requiring different security policies.

Scope of Assessment
ICSA Labs tests firewall products against its industry-approved set of testing criteria. Over time, this set of testing criteria became an industry standard. Testing requirements evolved with input from a consortium of firewall vendors, end users, and ICSA Labs. The present iteration of The Firewall Certification Criteria is version 4.2.
Continuous Deployment and Spot Checks
Following security testing by ICSA Labs, all tested firewall products remain continuously deployed at the labs for the length of the testing contract. When relevant new attacks and vulnerabilities are discovered, all deployed firewall models may be periodically checked to ensure they provide the requisite protection. In the event that any firewall is found susceptible to new attacks or vulnerabilities during a check, ICSA Labs

Page 1 of 8

Fortinet Inc. Fortinet Consolidated Security Platforms Firewall Certification Testing Report
works with the security product vendor to resolve the shortcomings in order for the product to maintain its ICSA Labs Firewall Certification.

Tested Firewall Product Components
Hardware
For firewall security certification testing, ICSA Labs installed the FortiGate VM04 (FGVM04) Firewall using ESXi 6.5 on Dell server hardware.
Software
Testing was successfully completed with firmware version 6.4.0 build 1579(GA).
Documentation
To satisfy documentation requirements, Fortinet Consolidated Security Platforms provided ICSA Labs with the following document in order to assist in the installation, configuration, and administration of their firewall product:
FortiOS Administration Guide Version 6.4.0
Product Family Members
ICSA Labs Corporate Firewall Certification extends beyond the most recently tested model (identified in the "Hardware" section above) to the other members of the Fortinet Consolidated Security Platforms. Therefore all of the models from the family listed below are ICSA Labs Certified Firewalls. For that reason, ICSA Labs periodically tests other physical and/or virtual models in the family or series. Finally, note that any models found on the security vendor's datasheet for this product family that is neither listed below nor listed on the ICSA Labs certified product list is not considered ICSA Labs Certified:
FortiGate/FortiWifi 30E FortiGate 40F FortiGate/FortiWifi 51E FortiGate 60F FortiGate/FortiWifi 61E FortiGate 81E/FortiWifi 81E-POE FortiGate/FortiWifi 91E FortiGate 100E/101E FortiGate 100F/101F FortiGate 200E/201E FortiGate 300D FortiGate 300E/301E FortiGate 400E/401E FortiGate 500E/501E FortiGate 600D FortiGate 600E/601E FortiGate 800D FortiGate 1000D FortiGate 1100E/1101E FortiGate 1200D FortiGate 1500D FortiGate 2000E

Page 2 of 8

Fortinet Inc. Fortinet Consolidated Security Platforms Firewall Certification Testing Report
FortiGate 2200E/2201E FortiGate 2500E FortiGate 3000D FortiGate 3300E/3301E FortiGate 3700D FortiGate 3800D FortiGate 3960E FortiGate 3980E FortiGate 5000 FortiGate 6300E/6301E FortiGate 6500E/6501E FortiGate 7030E FortiGate 7040E FortiGate 7060E FortiGate VM

Installation and Configuration
Firewall products can be configured different ways; therefore, ICSA Labs typically makes many configuration related decisions prior to adding a security policy to the firewall. Because ICSA Labs attempts to exploit the product under test, configuration decisions were made in an attempt to make exploitation less likely.
ICSA Labs installed and configured the security vendor's product following the firewall product documentation. Any special configuration changes or deviations from the documentation that were necessary to execute a test or meet a requirement are documented in this section.
ICSA Labs configured the FGVM04 in routing mode for both inbound and outbound traffic. In addition to security policy rule changes, ICSA labs made the following configuration changes to prepare the FGVM04 for testing:
Modified the configuration to log out of state ICMP packets.
#config log setting (setting)# set log-invalid-packet enable (setting)#end
Restricted management connections to use secure ciphers.
#config system global (global)# set admin-https-ssl-versions tlsv1-2 (global)#end
Modified configuration to block fragmented packets
#config system interface (interface)# edit [port #] (port#)# set drop-fragment enable (port#) end
Blocked packets with spoofed source addresses.
#config system settings (settings)# set strict-src-check enable (port#)# end

Page 3 of 8

Fortinet Inc. Fortinet Consolidated Security Platforms Firewall Certification Testing Report
Enabled IPS rule to block FTP bounce attack.
#config config ips sensor (sensor)# edit [policy name] (policy name)# config entries (entries)# edit [id] (id)# set rule 109445133 (id)# set status enable (id)# set action block (id)# set rate-count 1 (id)# set rate-duration 10 (id)# end (entries)# next (Sensor)# end
Enabled IPS rule to block Cert vulnerability 328867, an FTP state-related exploit from traversing the firewall.
#config config ips sensor (sensor)# edit [policy name] (policy name)# config entries (entries)# edit [id] (id)# set rule 32481 (id)# set status enable (id)# set action block (id)# end (entries)# next (Sensor)# end
Required Services Security Policy Transition
Expectation
Each phase of firewall testing is performed predominantly while enforcing a particular security policy. Firewall products must be configurable to minimally enforce a security policy such as the one specified in The Modular Firewall Certification Criteria, referred to as the Required Services Security Policy or RSSP. The RSSP permits a set of common Internet services inbound and outbound while dropping or denying all other network traffic.
Results
ICSA Labs performed port scans followed by additional scans and other tests to ensure that the security vendor's product was indeed configured according to the RSSP and that no other TCP, UDP, ICMP, or other IP protocol traffic was permitted to or through the firewall in either direction.
After performing the scans mentioned above, ICSA Labs verified that the firewall properly handled all permitted outbound and inbound service requests. ICSA Labs also confirmed that no other traffic traversed the firewall in either direction that would violate the security policy.
ICSA Labs determined through testing that virtual model FGVM04 from the Fortinet Consolidated Security Platforms met all the security policy transition requirements.

Page 4 of 8

Fortinet Inc. Fortinet Consolidated Security Platforms Firewall Certification Testing Report
Logging
Expectation
Firewalls destined for enterprise and government organizations as well as firewalls provided by managed security services providers need to provide an extensive logging capability. This explains why the breadth and depth of ICSA Labs firewall log testing is so extensive.
ICSA Labs tested the logging functionality provided by the firewall product under test ensuring that all permitted and denied traffic was logged. Analysts in the lab sent traffic both to and (attempted to send traffic) through the product. Other events that must be logged are system startups, time changes, access control rule changes, and administrative login attempts. ICSA Labs typically configures firewall products to send log data for logged events to an external server such as a syslog server. For all logged events ICSA Labs verified that the appropriate, required log data was recorded.
Results
With the Fortinet Consolidated Security Platforms product, including the FGVM04, logs can be retrieved locally via the web UI, or log events can be sent to an external server such as a syslog server. For this round of certification testing, ICSA Labs configured the tested model to send log messages to a private syslog server.
The following depicts how the FGVM04 logs a system time change:
Sep 30 13:54:44 205.160.12.254 date=2020-09-30 time=14:09:27 devname="FGVM4VTM20002077" devid="FGVM4VTM20002077" logid="0100032140" type="event" subtype="system" level="notice" vd="root" eventtime=1601499600000425591 tz="-0700" logdesc="Global time setting changed by user" user="admin" ui="GUI(172.26.25.234)" srcip=0.0.0.0 action="time_change" field="date-time" msg="User admin changed time from Wed Sep 30 14:09:27 2020 to Wed Sep 30 14:00:00 2020"
ICSA Labs determined through testing that virtual model FGVM04 from the Fortinet Consolidated Security Platforms met all the logging requirements.
Administration
Expectation
Firewall products often have more than a single method by which administration is possible. Whether the product can be administered remotely using vendor provided administration software, from a web browser based interface, via some non-networked connection such as a serial port, or some other means, authentication must be possible before access to administrative functions is granted. ICSA Labs tested not only that authentication mechanisms existed but also that they could not be bypassed and that remote administration traffic was encrypted.
Results
ICSA Labs remotely administered the FGVM04 in the lab from the private network using the available webbased GUI via HTTPS. Attempts to bypass the authentication mechanism for all means of administration were unsuccessful.
ICSA Labs determined through testing that virtual model FGVM04 from the Fortinet Consolidated Security Platforms met all the administration requirements.

Page 5 of 8

Fortinet Inc. Fortinet Consolidated Security Platforms Firewall Certification Testing Report
Persistence
Expectation
Power outages, electrical storms, and inadvertent power losses should not cause the firewall to lose valuable information such as the remote administration configuration, security policy being enforced, log data, time and date, and authentication data. This section documents the findings of ICSA Labs testing of the firewall product against the persistence requirements.
Results
The tested FGVM04 firewall product continued to maintain its configuration, settings, and data following a forced power outage. Similarly, the products continued to enforce the configured security policy following the outage.
ICSA Labs determined through testing that virtual model FGVM04 from the Fortinet Consolidated Security Platforms met all the persistence requirements.
Documentation
Expectation
ICSA Labs expects firewall documentation to be accurate and applicable to the version tested. The documentation should minimally provide appropriate guidance for installation, configuration and administration.
Results
ICSA Labs determined that the documentation provided was adequate and accurate for the purposes of product installation and administration.
The documentation provided by Fortinet met all of the documentation requirements.
Functional and Security Testing
Expectation
Once configured to enforce a security policy an ICSA Labs certified firewall must properly permit the services allowed by that policy. In this case, "properly" means that the service functions correctly. The firewall must be capable of preventing well-known, potentially harmful behavior found in some network protocols while at the same time maintaining compliance with applicable network protocol standards in all other ways. In the event of a conflict between these two things, a firewall tested and certified by ICSA Labs must defer to providing increased security. During functional testing ICSA Labs checked to ensure proper protocol behavior for the permitted services.
During security testing, ICSA Labs used commercial, in-house, and freely available testing tools to attack and probe the firewall. ICSA Labs used these tools to attempt to defeat or circumvent the security policy enforced. Additionally, using Denial-of-Service and fragmentation attacks ICSA Labs attempted to overwhelm, bypass or otherwise defeat the enforced security policy.
Since there is overlap between functional and security testing, the results of both phases of testing are presented here.

Page 6 of 8

Fortinet Inc. Fortinet Consolidated Security Platforms Firewall Certification Testing Report
Results
The FGVM04 from the Fortinet Consolidated Security Platforms met all Functional and Security Testing requirements. No violations were found in this area throughout testing.
Criteria Violations and Resolutions
Introduction
In the event that ICSA Labs uncovers criteria violations while testing a firewall product, the security vendor must make repairs before testing is successfully completed and certification granted. The section that follows documents all criteria violations discovered during testing.
Results
The FGVM04 from the Fortinet Consolidated Security Platforms met all Corporate Firewall Certification Criteria requirements. No violations were found during the test cycle.
ICSA Labs Certified Firewalls
Because the FGVM04 virtual firewall model passed all of the firewall security test cases performed by ICSA Labs and as the tested product met the entire set of testing criteria requirements, ICSA Labs is pleased to state that both it and the other models comprising the Fortinet Consolidated Security Platforms retained ICSA Labs Corporate Firewall Certification.

Page 7 of 8

Fortinet Inc. Fortinet Consolidated Security Platforms Firewall Certification Testing Report
Authority
This report is issued by the authority of the General Manager, ICSA Labs. Tests are done under normal operating conditions.

ICSA Labs
The goal of ICSA Labs is to significantly increase user and enterprise trust in information security products and solutions. For nearly 30 years, ICSA Labs, an independent division of Verizon, has been providing credible, independent, 3rd party security product testing and certification for many of the world's top security product developers and service providers. Enterprises worldwide rely on ICSA Labs to set and apply objective testing and certification criteria for measuring product compliance and performance.

Fortinet, Inc.
Fortinet's portfolio of security gateways, subscription services, and complementary products delivers high levels of network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while reducing total cost of ownership and providing a flexible, scalable path for expansion.

www.icsalabs.com

www.fortinet.com

Page 8 of 8

Microsoft Word 2013 Microsoft Word 2013