Security Policy

With FortiPoC 1.8.31 and 1.9.13 the default security policy has changed: the global configuration prevents access to PoC devices by default, user must explicitly open the access and port forwarding rules.

FortiPoC Default password

Important

You must change the “admin” password on first CLI or GUI login.

Frontend embedded CLI

The frontend embedded CLI access is allowed only when the user is logged in to the frontend.

Custom port forwarding rules

The PoC custom port forwarding rules are disabled by default.

You continue to see them with diagnose network firewall, eg:

lab-fp18 # diagnose network firewall
...
[0:0] -A FP_PRE_CUSTOM -i eth0 -p tcp -m tcp --dport 22222 -j MARK --set-xmark 0x1/0x1
[0:0] -A FP_PRE_CUSTOM -i eth0 -p tcp -m tcp --dport 22222 -j DNAT --to-destination 10.0.0.1:80
...

But they are never processed. To activate them:

set security custom enable

It enables the FP_PRE_CUSTOM chain processing:

lab-fp18 # diagnose network firewall
...
[0:0] -A FP_TOGGLE_PRE_CUSTOM -i eth0 -j FP_PRE_CUSTOM
...

To block them:

set security custom disable

Warning

This security flag is persistent on reboot. It’s activated as soon as you execute the command. No PoC launch is required.

Default access

SSH

SSH VM accesses are managed by port forwarding rules.

These port forwarding rules are disabled by default.

You continue to see them with diagnose network firewall, eg:

lab-fp18 # diagnose network firewall
...
[0:0] -A FP_PRE_SSH -i eth0 -p tcp -m tcp --dport 11000 -j MARK --set-xmark 0x1/0x1
[0:0] -A FP_PRE_SSH -i eth0 -p tcp -m tcp --dport 11000 -j DNAT --to-destination 10.0.0.2:22
...

But they are never processed. To activate them:

set security ssh public

It enables the FP_PRE_SSH chain processing:

lab-fp18 # diagnose network firewall
...
[0:0] -A FP_TOGGLE_PRE_SSH -i eth0 -j FP_PRE_SSH
...

To block them:

set security ssh private

Warning

This security flag is persistent on reboot. It’s activated as soon as you execute the command. No PoC launch is required.

The frontend embedded SSH access is not affected by the flag and can only be used if the user is logged in.

HTTP

HTTP access is done by reverse proxy.

Important

By default access is allowed only if the user is logged in to the frontend interface.

To activate public access:

set security http public

Note

You MUST launch the PoC for the settings to take effect.

Warning

You MUST use robust password for all accounts accessible through HTTP. Please remember that HTTP is an unsecure protocol that may leak cookies, password and sensitive information to any MITM attacker. It’s NOT recommended to open it to public !

To block public access:

set security http private

Note

You MUST launch the PoC for the settings to take effect.

HTTPS

HTTPS access is done by reverse proxy.

Important

By default access is allowed only if the user is logged in to the frontend interface.

To activate public access:

set security https public

Note

You MUST launch the PoC for the settings to take effect.

Warning

You MUST use robust password for all accounts accessible through HTTPS.

To block public access:

set security https private

Note

You MUST launch the PoC for the settings to take effect.

TELNET

Telnet access is allowed only through the frontend embedded access when the user is logged in to the frontend.

SERIAL

Serial console access to VM or bash access to LXC are allowed only through the frontend embedded access when the user is logged in to the frontend.

VNC and SPICE

For KVM device, the VNC (and SPICE) screen console is binded to loopback interface only, you can only access it using the frontend embedded VNC access.

You can configure FortiPoC to bind VNC (and/or SPICE) to the public interface, but you can only do so regarding the following requirements:

Without a password

If the PoC doesn’t define a “Display access password” you MUST be logged in to the frontend in order to use the frontend embedded VNC access.

Important

You CAN’T bind VNC (or SPICE) to public address if the PoC doesn’t define a “Display access password”.

With a password

If the PoC defines a “Display access password” you can access the frontend embedded VNC access without being logged in but to do so you must also bind VNC (and/or SPICE) to the public address:

set security vnc public
set security spice public

Note

You MUST launch the PoC for the settings to take effect.

Important

if the PoC doesn’t define a “Display access password”, these security flags have no effect and access is binded to loopback only.

Warning

VNC protocol limits password to 8 characters. If the PoC defines a longer password, VNC is binded to loopback only as the password can’t be accepted by libvirt/qemu (or truncated) and it makes it less secure than expected.

Note

If you are logged in to the frontend, the password is bypassed to access the frontend embedded VNC access.

To revert to loopback only:

set security vnc private
set security spice private

Note

You MUST launch the PoC for the settings to take effect.

Customized access

Important

It’s recommended to turn private or disable all accesses to VM that are not required (eg: VyOS used internally only for loss and traffic shaping, …) or access to unused protocol (eg: HTTP access)

You can disable automatic forwarding rule/reverse proxy for a specific access:

{
  "accesses": {
    "HTTPS": {
       "fwd": false
     }
  }
}

You can also disable all port forwardings/reverse proxy for a device with:

{
  "special": {
      "fwd": false
  }
}

When an access is configured at FortiPoC level as public, with this feature you can force some individual accesses to be more restrictive, eg:

{
  "accesses": {
     "SSH": {
        "fwd": "private"
      },
      "HTTP": {
        "fwd": false,
      }
   }
}

Or all of them:

{
  "special": {
    "fwd": "private"
  }
}