[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ZH88scHrb1oT_J4E@debian.me>
Date: Tue, 6 Jun 2023 21:03:29 +0700
From: Bagas Sanjaya <bagasdotme@...il.com>
To: Turritopsis Dohrnii Teo En Ming <tdtemccnp@...il.com>,
netdev@...r.kernel.org
Cc: ceo@...-en-ming-corp.com
Subject: Re: Fortigate Firewall Setup SOP Draft 13 Mar 2023
On Mon, Mar 13, 2023 at 09:40:57PM +0800, Turritopsis Dohrnii Teo En Ming wrote:
> 01. Register the brand new Fortigate firewall at https://support.fortinet.com
What is the relationship between Fortigate and native Linux firewall
(nftables)?
But hey, looks like LKML isn't the right forum for Fortinet products
(use that above support link instead).
>
> 02. Key in the Contract Registration Code. This is very important.
>
> 03. Upgrade firewall firmware to the latest version.
>
> 04. Set hostname.
> XXX-FWXX
>
> 05. Set regional date/time. Time zone is important.
>
> 06. Enable admin disclaimer page.
> config system global
> set pre-login-banner enable
>
> 07. Create firewall super-admin accounts.
> a. admin
> b. xx-admin
> c. si-company
> d. abctech
>
> 08. Configure WAN1 interface.
> Most business broadband plans are using DHCP.
>
> 09. Enable FTM / SNMP / SSH / HTTPS for WAN1 interface.
>
> 10. Configure default static route.
>
> 11. Configure LAN interface.
> Optional: DHCP Server
>
> 12. Set DHCP lease time to 14400.
>
> 13. Configure HTTPS port for firewall web admin to 64444.
>
> 14. Configure SSL port for VPN to 443.
>
> 15. Configure LDAP Server.
>
> 16. Create Address Objects.
>
> 17. Create Address Groups.
>
> 18. Configure firewall policies for LAN to WAN (outgoing internet access).
>
> 19. Configure and apply security profiles to above firewall policies.
>
> 20. Create Virtual IPs.
>
> 21. Create custom services.
>
> 22. Create service groups.
>
> 23. Create firewall policies for port forwarding (WAN to LAN).
>
> 24. Configure other firewall policies.
>
> 25. Disable FortiCloud auto-join.
> config system fortiguard
> set auto-join-forticloud disable
> end
>
> 26. Configure FTM Push.
> config system ftm-push
> set server-port 4433
> set server x.x.x.x (WAN1 public address)
> set status enable
>
> 27. Remove existing firewall/router and connect brand new Fortigate
> firewall to the internet.
>
> 28. Configure FortiGuard DDNS.
> xxx-fw.fortiddns.com
>
> 29. Configure DNS.
>
> 30. Activate FortiToken.
>
> 31. Create SSL VPN Group.
>
> 32. Create SSL VPN Users (local or LDAP).
>
> 33. Configure 2FA for SSL VPN Users.
>
> 34. Create SSL-VPN Portals.
>
> 35. Configure SSL VPN Settings (split or full tunneling).
>
> 36. Configure firewall policies for SSL VPN to LAN.
> Optionally configure firewall policies for SSL VPN to WAN (if full tunneling).
>
> 37. Configure C-NetMOS Network Monitoring Service.
> configure log syslogd setting
> set status enable
> set server "a.b.c.d"
> set mode legacy-reliable
> set port 601
> set facility auth
> end
>
> 38. Apply hardening steps (Systems Integrator's Internal Document).
>
> 39. Convert SOHO wireless router to access point mode.
>
> 40. Configure and apply security profiles (REMINDER).
>
> Testing
> =======
>
> 1. Internet access for all users.
>
> 2. VPN connection using FortiToken.
>
> Documentation
> ==============
>
> Firewall documentation for administrator (settings / policies / VPN).
>
> User Training
> ==============
>
> A. For Administrator
> ====================
>
> 1. How to access Fortigate firewall URL.
>
> 2. How to add/remove/reassign FortiToken.
>
> 3. How to add/remove VPN users.
>
> 4. How to generate usage report for Government PSG Grant.
>
> B. For End User
> ================
>
> 1. How to connect to VPN.
>
> 2. How to use FortiToken.
>
> 3. How to connect company laptop to VPN.
>
> ===EOF===
As Linus has said, "Talk is cheap. Show me the code." - show me the full
HOWTO (on your blog since LKML isn't the appropriate forum for this kind
of content).
<rant>
The parallel to this that many orgs by convention only upload quick
highlights (for sports matches) or trailers (for movies) to
YouTube and leave the full details to streaming services (which
are often priced in charm prices). Some third-party users made
the full resources available for free on YouTube (but with risk
of copyright wild west).
Another way: Suppose that I'm a WSJ writer and post my cool
stories into its website. Anonymous users can only see few posts
(including mine) per month and then they had to pay some bucks
to view the rest (think of paywall). A developer here at LKML
refer to my WSJ story without knowing this fact. Do others have
to read mine there for the sake of completeness? Many prefer freely
accessible version instead, so I may have to be forced to release
my story to my personal site.
</rant>
>
>
>
>
> REFERENCES
> ===========
>
> [1] https://pastebin.com/raw/yg0QUcv6
> [2] https://controlc.com/85e667fb
I see both references and these are all the exact copy of your post.
Thanks anyway.
--
An old man doll... just what I always wanted! - Clara
Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists