Publish PRTG using a FortiGate

Hi,

I have been working with FortiGate firewalls and PRTG for 10 years, and I want to share some useful information about how to securely publish your PRTG server using a FortiGate firewall.

A while back, the Paessler blog published posts describing how to use a reverse proxy to load off utilization from a PRTG server. One of the posts covered general information of how to do it, while the other described how to do it with a KEMP LoadMaster. Here I'll explain how to do it with FortiGate firewalls.
Fortinet's documentation is available from their website: http://docs.fortinet.com and a handbout about FortiGate server loadbalancing: http://docs.fortinet.com/d/fortigate-server-load-balancing-56

Only FortiGate FortiOS 5.4, 5.6, 6.0, 6.2 and above support TLS 1.2 in the loadbalancing feature. FortiOS 5.2, 5.0, 4.3 and lower only support TLS 1.1 and TLS 1.0. TLS 1.2 is strongly recommended.

1. Add a virtual server to accept the traffic to be load balanced

Go to Policy & Objects > Virtual Servers and add a virtual server:FortiGate_LoadBalancing_VirtualServer_PRTG_01-1
Create a new virtual server, select HTTPS as the "Type", enter the external IP address and TCP port, and select the certificate. The certificate has to be loaded in the certificate store of FortiGate (Go to System > Certificates).
Create a new (real) server, and enter the internal IP address and TCP port.

2. Configure additional FortiGate hardening

Go to the CLI of the FortiGate device using SSH (e.g. using putty), or use the Web interface's CLI console widget:
FortiGate_LoadBalancing_VirtualServer_PRTG_02-1

Enter the following:
config firewall vip
edit vs_PRTG-webserver01 <-- Name of the chosen virtual server 
set ssl-max-version tls-1.2 <-- Recommendation is to only allow TLS 1.2 
set ssl-min-version tls-1.2 <-- Recommendation is to only allow TLS 1.2 
set ssl-server-algorithm custom <-- Recommendation to harden ciphers 
config ssl-server-cipher-suites 
edit 1
set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
next
edit 2
set cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
next
end
set ssl-dh-bits 2048 <-- Recommendation to use minimum of 2048 bit for DH* 
ssl-client-renegotiation secure <-- Recommendation to increase client renegotiation
ssl-client-fallback enable <-- Recommendation to enable downgrade attack prevention (TLS_FALLBACK_SCSV, RFC 7507 https://tools.ietf.org/html/rfc7507)
end

*Note: Only FortiGate models with CP9 ASIC processors support 3072/4096 bit DH (Diffie-Hellman) keys in the hardware; other models have to use the FortiGate CPU. FortiGate models with CP8 ASIC processors support up to 2048 bit DH keys in the hardware. For more information about this, go here: 
https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-load-balancing/ldb-ssl-tls-diffie.htm
 
From FortiOS5.6 and above, FortiGate offers HSTS, which should be used to enforce HTTPS and prevent MitM-Attacks. HSTS can be activated as follows:
set ssl-hsts enable
set ssl-hsts-age 31536000 <-- Browser will rember for 1 Year it must use HTTPS
set ssl-hsts-include-subdomains enable <-- Subdomains are included

 
For more information about load balancing FortiGate devices, take a look at their documentation:
https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-load-balancing/ldb-ssl-tls-version.htm

3. Check the Configuration

Check the configuration again as follows:
config firewall vip
edit vs_PRTG-webserver01
FortiGate1500D-HA01 (vs_PRTG-webserver01) # get
name : vs_PRTG-webserver01
id : 0
uuid : 123456ab-cdef-1234-4567-1234567890ab
comment : virtual server PRTG webserver
type : server-load-balance
src-filter :
extip : 192.168.0.1
extintf : WAN (wan1)
arp-reply : enable
server-type : https
nat-source-vip : disable
gratuitous-arp-interval: 0
srcintf-filter :
http-ip-header : disable
monitor :
color : 0
ldb-method : static
persistence : none
extport : 443
realservers:
== [ 1 ]
id: 1 ip: 172.30.0.171 port: 80 status: active holddown-interval: 300 max-connections: 0
http-multiplex : disable
ssl-mode : half
ssl-certificate : trusted-certificate-loaded-in-certificate-store
ssl-dh-bits : 2048
ssl-algorithm : custom
ssl-server-cipher-suites: TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
ssl-server-algorithm: client
ssl-pfs : allow
ssl-min-version : tls-1.2
ssl-max-version : tls-1.2
ssl-server-min-version: client
ssl-server-max-version: client
ssl-send-empty-frags: enable
ssl-client-fallback : enable
ssl-client-renegotiation: secure
ssl-client-session-state-type: both
ssl-client-session-state-timeout: 30
ssl-client-session-state-max: 1000
ssl-server-session-state-type: both
ssl-server-session-state-timeout: 60
ssl-server-session-state-max: 100
max-embryonic-connections: 1000


4. Add a WAN1 with the Virtual Server.

Go to Policy & Objects > IPv4 Policy and add a wan1 to internal security policy that includes the virtual server.
In this policy, you can also apply UTM profiles (like Anti-Virus, Intrusion-Prevention, Application-Control, etc.) to the load-balanced sessions.
config firewall policy
edit 0 <-- uses next free policy-id
set srcintf wan1
set srcaddr all
set dstintf internal
set dstaddr vs_PRTG-webserver01
set action accept
set schedule always
set service HTTP <-- service-port of real-server, not virtual server set nat enable <-- only if necessary in your network setup set utm-status enable set profile-protocol-options default set av-profile scan set ips-profile high_security end


5. Test the Configuration

To check if everything worked, you can use different public tools to check your settings. One popular (and good) TLS-checking tool is the tool from SSLLabs: https://www.ssllabs.com/ssltest/analyze.html

6. Harden Security further

In order to make it even more secure, the PRTG webservice can be limited to dedicated IP addresses or (dynamic) FQDNs by setting source-addresses ("set srcaddr") to an address object group in the policy. 

The best way to protect your PRTG is to use VPN (IPSec or SSLVPN), and use a Web Application Firewall WAF. I will try to write an article about howto make your PRTG or webserver available using VPN soon.



Please note: I have carefully compiled this information and it is provided to the best of my knowledge. As I'm not part of one of the vendors, it is not officially supported by me.
You must also be aware, that if you configure any of the parts incorrectly, you may leave yourself open to an intruder gaining access. This includes User ID's, passwords, IP names, etc. In other words: No warranties are expressed or implied. I cannot be held liable for any damages that you may incur as a result of employing a Reverse Proxy.

Hi,
my name is Florian. I'm working for 10 years as an it-security-architect/consultant and my goal with this blog is to share knowledge about useful configurations, debug tools, good & stable architectures and so on.
Kind regards,
Florian

Cribl - Change values to lowerCase

Some logs (e.g. Microsoft Azure) sometimes are not fully normalized to all lowercase characters. You can use Cribl to adjust those values by...