Optimization of traffic filtering on Fortigate with Elastic Stack

Fortigate 200F configuration optimization with Elasticstack

A firewall is a basic element of corporate data protection. Its role is to allow or block traffic, which is based on filters set on individual ports.

The problem arises when the Firewall configuration gets out of hand. Most often, this is a situation that results from the lack of proper hygiene at work, often associated with a significant burden on IT departments. Engineers overwrite old rules with new ones and do not update the rule base after completing projects.

Companies invest in high-quality IT equipment, but they often forget that the equipment itself does not guarantee either security or proper operation. What we most often observe during audits, even in large and well-known companies, is poorly configured edge devices such as UTM, NGFW and a lack of access policy management.

– Jakub Fabiś, Head of Sales, Grandmetric

Client

FMCG company

Production for over 120 markets

Services

Audit of rules defined on a cluster of NGFW / UTM class firewalls (Fortigate 200F)
Analysis of network traffic between individual interfaces and security zones
Create traffic rules
Visualization of traffic flow and volume on individual interfaces using Elasticstack

Implementation results

The client’s systems are tightly secured

The rules we created for NGFW are universal and can be used in the case of migration to another solution

The client uses a convenient dashboard, independent of the manufacturer and visualizing how NGFW filters network traffic

NGFW/UTM – Cybersecurity starts here

Many years of negligence at a global beverage producer meant that engineers did not know which of the rules stored on the ports were up-to-date and in use, and thus they could not determine which way or where the traffic was led. Such a mess made it much more difficult to oversee traffic and assess whether the firewall was properly filtering traffic throughout the organization.

Our client decided to tidy up the configuration of his NGFW devices to make it easier for engineers to troubleshoot network traffic.

Our task was to understand how current Fortigate clusters were configured, and which rules are valid and which are not used. Then we organized and visualized the traffic thanks to the automation of flows between individual interfaces and security zones written by our team.

The solution – the simpler the better

1. Analysis of needs and audit of Firewall configuration

We started with a detailed analysis of needs and an audit of the current configuration. We took a sample of network traffic from the whole week and based on it we prepared basic traffic control rules.

2. Flow visualization

The client did not know how their Fortigate were filtering traffic. In order to analyze which interfaces are used, between which interfaces there is a flow and to determine its volume, we have built our own analysis tool. For this purpose, we used the Elastic Stack (Elasticsearch and Kibana), which based on the data provided to it (source, destination, ports, VLANs) created an appropriate flow diagram (Sankey diagram).

Traffic flow visualization between interfaces on NGFW

3. Step-by-step NGFW Fortigate configuration and testing

We were aware that incorrectly constructed rules affect the operation of the factory, e.g. they may cause computers to lose the ability to supervise machines in the production hall. That’s why we worked in the windows when the machines were down. New rules were added at the top, thanks to which we could unambiguously verify their correctness using packet and session counters that met the rule (so-called hitcount).

Wondering if you can achieve similar results on your Internet edge? Make an appointment for a free consultation.

After recognizing your situation, we will select an engineer who, during a free consultation, will advise what you can do to strengthen security in the area you are interested in.

Jakub Fabiś, Head of Sales, Grandmetric

Case Study