{
"stig": {
"date": "2022-09-12",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-234133": {
"checkid": "C-37318r611397_chk",
"checktext": "Log in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Verify there are no policies configured with source and destination interface set to \"any\", and source and destination address set to \"all\" and the Action set to ACCEPT.\n\nIf there are policies configured with source and destination interface set to \"any\", and source and destination address set to \"all\" and the Action set to ACCEPT, this is a finding.",
"description": "Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic.\n\nThe firewall that filters traffic outbound to interconnected networks with different security policies must be configured with filters (i.e., rules, access control lists [ACLs], screens, and policies) that permit, restrict, or block traffic based on organization-defined traffic authorizations. Filtering must include packet header and packet attribute information, such as IP addresses and port numbers.\n\nConfigure filters to perform certain actions when packets match specified attributes, including the following actions:\n\n- Apply a policy\n- Accept, reject, or discard the packets\n- Classify the packets based on their source address\n- Evaluate the next term in the filter\n- Increment a packet counter\n- Set the packets\u2019 loss priority\n- Specify an IPsec SA (if IPsec is used in the implementation)\n- Specify the forwarding path\n- Write an alert or message to the system log.",
"fixid": "F-37283r611398_fix",
"fixtext": "The fix can be performed on FortiGate GUI or CLI. \nLog in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Click +Create New to configure application specific policies, with Action set to ACCEPT.\n4. Configure Logging Options to log All Sessions.\n5. Confirm each Policy is Enabled.\n6. Click OK.\n\nor\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. For IPv4 policy, run the following command:\n # config firewall policy\n # edit {policyid}\n # set srcintf {interface_name_ext}\n # set dstintf {interface_name_int}\n # set srcaddr {address_a}\n # set dstaddr {address_b}\n # set schedule {always}\n # set service {HTTPS}\n # set action {accept}\n # set logtraffic all\n # end\n\nFor IPv6 policy, run the following command: \n # config firewall policy6\n # edit {policyid}\n # set srcintf {interface_name_ext}\n # set dstintf {interface_name_int}\n # set srcaddr {address_a}\n # set dstaddr {address_b}\n # set schedule {always}\n # set service {HTTPS}\n # set action {accept}\n # set logtraffic all\n # end\n\nThe {} indicate the object is defined by the organization policy. The firewall performs IP integrity header checking on all incoming packets to verify if the protocol packet is a valid TCP, UDP, ICMP, SCTP, or GRE length. Stateful inspection is done to verify TCP SYN and FIN flags are set as needed.",
"iacontrols": null,
"id": "V-234133",
"ruleID": "SV-234133r611399_rule",
"severity": "high",
"title": "The FortiGate firewall must use filters that use packet headers and packet attributes, including source and destination IP addresses and ports.",
"version": "FNFG-FW-000005"
},
"V-234134": {
"checkid": "C-37319r611400_chk",
"checktext": "If FortiGate is not configured to support VPN access, this requirement is Not Applicable.\n\nLog in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Verify all VPN-related policies are configured with organization-defined filtering rules.\n4. For each VPN-related policy, verify the logging option is configured to log All Sessions (for most verbose logging).\n\nIf there are no VPN policies configured with organization-defined filtering rules, this is a finding.",
"description": "Remote access devices (such as those providing remote access to network devices and information systems) that lack automated capabilities increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).",
"fixid": "F-37284r611401_fix",
"fixtext": "This fix can be performed on the FortiGate GUI or on the CLI. \nLog in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Click +Create New to configure new ingress and egress SSL-VPN- or IPSec-VPN-related policies that meet the organization-defined filtering rules.\n4. Configure Logging Options to log All Sessions (for most verbose logging).\n5. Confirm each created Policy is Enabled.\n6. Click OK.\n\nor\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # config firewall policy\n # edit 0\n # set srcintf {vpn_interface}\n # set dstintf {interface_1}\n # set srcaddr {address_a}\n # set dstaddr {address_b}\n # set schedule {always}\n # set service {services required by site policy}\n # set action {accept}\n # set logtraffic enable\n # next\n # end\n3. Create opposite (ingress or egress) policy as required.\n\nThe {} indicate the object is defined by the organization policy.",
"iacontrols": null,
"id": "V-234134",
"ruleID": "SV-234134r611402_rule",
"severity": "medium",
"title": "The FortiGate firewall must use organization-defined filtering rules that apply to the monitoring of remote access traffic for the traffic from the VPN access points.",
"version": "FNFG-FW-000015"
},
"V-234135": {
"checkid": "C-37320r611403_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Local Traffic.\n3. Verify events are generated containing date, time, alert level related to System and Local Traffic Log.\n\nIn addition to System log settings, verify that individual firewall policies are configured with most suitable Logging Options.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Verify all Policy rules are configured with Logging Options set to log All Sessions (for most verbose logging).\n\nIf there are no events generated containing date, time, alert level, user, message type, and other information, this is a finding.",
"description": "Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit event content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the network element logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured network element.",
"fixid": "F-37285r611404_fix",
"fixtext": "This fix can be performed on the FortiGate GUI or on the CLI. \nLog in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Log Settings.\n3. Click All for the Event Logging and Local Traffic Log options (for most verbose logging), or Click Customize and choose granular logging options to meet organization needs.\n4. Click Apply.\n\nIn addition to these log settings, configure individual firewall policies with the most suitable Logging Options.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. For each policy, configure Logging Options to log All Sessions (for most verbose logging).\n4. Confirm each created Policy is Enabled.\n5. Click OK.\n\nor\n\n1. Open a CLI console.\n2. Run the following command:\n # config log eventfilter\n # set event enable\n # set system enable\n # set endpoint enable\n # set user enable\n # set security-rating enable\n # end\n # config firewall policy\n # edit 0\n # set srcintf {interface_name_1}\n # set dstintf {interface_name_2}\n # set srcaddr {address_a}\n # set dstaddr {address_b}\n # set schedule {always}\n # set service {service required by site policy}\n # set action {accept}\n # set logtraffic enable\n # next\n # end\n\nThe {} indicate the object is defined by the organization policy.",
"iacontrols": null,
"id": "V-234135",
"ruleID": "SV-234135r611405_rule",
"severity": "medium",
"title": "The FortiGate firewall must generate traffic log entries containing information to establish what type of events occurred.",
"version": "FNFG-FW-000020"
},
"V-234136": {
"checkid": "C-37321r611406_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Events, or Local Traffic.\n3. Verify events are generated containing date, time, and alert level related to System and Local Traffic Log.\n\nIn addition to System log settings, verify individual firewall policies are configured with most suitable Logging Options.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Verify all Policy rules are configured with Logging Options set to log All Sessions (for most verbose logging).\n\nIf the log events do not contain information to establish date and time, this is a finding.",
"description": "Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nTo compile an accurate risk assessment and provide forensic analysis of network traffic patterns, it is essential for security personnel to know when flow control events occurred (date and time) within the infrastructure.\n\nAssociating event types with detected events in the network traffic logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured network element.",
"fixid": "F-37286r611407_fix",
"fixtext": "This fix can be performed on the FortiGate GUI or on the CLI. \nLog in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Log Settings.\n3. Click All for the Event Logging and Local Traffic Log options (for most verbose logging), or Click Customize and choose granular logging options to meet organization needs.\n4. Click Apply.\n\nIn addition to these log settings, configure individual firewall policies with the most suitable Logging Options.\n \n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. For each policy, configure Logging Options to log All Sessions (for most verbose logging).\n4. Confirm each created Policy is Enabled.\n5. Click OK.\n\nor\n\n1. Open a CLI console.\n2. Run the following command:\n # config log eventfilter\n # set event enable\n # set system enable\n # set endpoint enable\n # set user enable\n # set security-rating enable\n # end\n # config firewall policy\n # edit 0\n # set srcintf {interface_name_1}\n # set dstintf {interface_name_2}\n # set srcaddr {address_a}\n # set dstaddr {address_b}\n # set schedule {always}\n # set service {service required by site policy}\n # set action {accept}\n # set logtraffic enable\n # next\n # end\n\nThe {} indicate the object is defined by the organization policy.",
"iacontrols": null,
"id": "V-234136",
"ruleID": "SV-234136r611408_rule",
"severity": "medium",
"title": "The FortiGate firewall must generate traffic log entries containing information to establish when (date and time) the events occurred.",
"version": "FNFG-FW-000025"
},
"V-234137": {
"checkid": "C-37322r611409_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Forward Traffic, or Local Traffic.\n3. Double-click on an Event to view Log Details.\n4. Verify traffic log events contain source and destination IP addresses, and interfaces.\n\nIn addition to System log settings, verify that individual firewall policies are configured with most suitable Logging Options.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Verify all Policy rules are configured with Logging Options set to log All Sessions (for most verbose logging).\n\nIf the traffic log events do not contain source and destination IP addresses, or interfaces, this is a finding.",
"description": "Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nTo compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as network element components, modules, device identifiers, node names, and functionality. \n\nAssociating information about where the event occurred within the network provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured network element.",
"fixid": "F-37287r611410_fix",
"fixtext": "This fix can be performed on the FortiGate GUI or on the CLI. \nLog in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Log Settings.\n3. Click All for the Event Logging and Local Traffic Log options (for most verbose logging), or Click Customize and choose granular logging options to meet organization needs.\n4. Scroll to UUIDs in Traffic Log and toggle Policy and Address buttons to enable.\n5. Click Apply.\n\nIn addition to these log settings, configure individual firewall policies with the most suitable Logging Options.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. For each policy, configure Logging Options to log All Sessions (for most verbose logging).\n4. Confirm each created Policy is Enabled.\n5. Click OK.\n\nor\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # config log eventfilter\n # set event enable\n # set system enable\n # set endpoint enable\n # set user enable\n # set security-rating enable\n # end\n3. For each configured policy set the following: \n # config firewall {policy|policy6}\n # edit {policyid}\n # set logtraffic enable\n # end\n\nThe {} indicate the object is defined by the organization policy.",
"iacontrols": null,
"id": "V-234137",
"ruleID": "SV-234137r611411_rule",
"severity": "medium",
"title": "The FortiGate firewall must generate traffic log entries containing information to establish the network location where the events occurred.",
"version": "FNFG-FW-000030"
},
"V-234138": {
"checkid": "C-37323r611412_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Forward Traffic or Local Traffic.\n3. Double-click on an Event to view Log Details.\n4. Verify traffic log events contain source and destination IP addresses, and interfaces.\n\nIn addition to System log settings, verify that individual IPv4 policies are configured with most suitable Logging Options.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Verify all Policy rules are configured with Logging Options set to log All Sessions (for most verbose logging).\n\nIf the log events do not contain IP address of source devices, this is a finding.",
"description": "Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to know the source of the event.\n\nIn addition to logging where events occur within the network, the traffic log events must also identify sources of events, such as IP addresses, processes, and node or device names.",
"fixid": "F-37288r611413_fix",
"fixtext": "This fix can be performed on the FortiGate GUI or on the CLI. \nLog in to the FortiGate GUI with Super- or Log-and-Report-Admin privilege.\n\n1. Click Log and Report.\n2. Click Log Settings.\n3. Click All for the Event Logging and Local Traffic Log options (for most verbose logging), or Click Customize and choose granular logging options to meet organization needs.\n4. Scroll to UUIDs in Traffic Log and toggle Policy and Address buttons to enable.\n5. Click Apply.\n\nIn addition to these log settings, configure individual firewall policies with the most suitable Logging Options.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. For each policy, configure Logging Options to log All Sessions (for most verbose logging).\n4. Confirm each created Policy is Enabled.\n5. Click OK.\n\nor\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # config log eventfilter\n # set event enable\n # set system enable\n # set endpoint enable\n # set user enable\n # set security-rating enable\n # end\n # config firewall policy\n # edit 0\n # set srcintf {interface_name_1}\n # set dstintf {interface_name_2}\n # set srcaddr {address_a}\n # set dstaddr {address_b}\n # set schedule {always}\n # set service {services required by site policy}\n # set action {accept}\n # set logtraffic enable\n # next\n # end\n\nThe {} indicate the object is defined by the organization policy.",
"iacontrols": null,
"id": "V-234138",
"ruleID": "SV-234138r611414_rule",
"severity": "low",
"title": "The FortiGate firewall must generate traffic log entries containing information to establish the source of the events, such as the source IP address at a minimum.",
"version": "FNFG-FW-000035"
},
"V-234139": {
"checkid": "C-37324r611415_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Forward Traffic or Local Traffic.\n3. Double-click on an Event to view Log Details.\n4. Verify log events contain status information like success or failure of the application of the firewall rule.\n\nIn addition to System log settings, verify that individual IPv4 policies are configured with most suitable Logging Options.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Verify all Policy rules are configured with Logging Options set to log All Sessions (for most verbose logging).\n\nIf the log events do not contain status information, like success or failure of the application of the firewall rule, this is a finding.",
"description": "Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the network.\n\nEvent outcomes can include indicators of event success or failure and event-specific results. They also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.",
"fixid": "F-37289r611416_fix",
"fixtext": "This fix can be performed on the FortiGate GUI or on the CLI. \nLog in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Log Settings.\n3. Click All for the Event Logging and Local Traffic Log options (for most verbose logging), or Click Customize and choose granular logging options to meet organization needs.\n4. Scroll to UUID in Traffic Log and toggle Policy and Address buttons to enable.\n5. Click Apply.\n\nIn addition to these log settings, configure individual firewall policies with the most suitable Logging Options.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. For each policy, configure Logging Options to log All Sessions (for most verbose logging).\n4. Confirm each created Policy is Enabled.\n5. Click OK.\n\nor\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # config log eventfilter\n # set event enable\n # set system enable\n # set endpoint enable\n # set user enable\n # set security-rating enable\n # end\n # config firewall policy\n # edit 0\n # set srcintf {interface_name_1}\n # set dstintf {interface_name_2}\n # set srcaddr {address_a}\n # set dstaddr {address_b}\n # set schedule {always}\n # set service {services required by site policy}\n # set action {accept}\n # set logtraffic enable\n # next\n # end\n\nThe {} indicate the object is defined by the organization policy.",
"iacontrols": null,
"id": "V-234139",
"ruleID": "SV-234139r611417_rule",
"severity": "medium",
"title": "The FortiGate firewall must generate traffic log entries containing information to establish the outcome of the events, such as, at a minimum, the success or failure of the application of the firewall rule.",
"version": "FNFG-FW-000040"
},
"V-234140": {
"checkid": "C-37325r863249_chk",
"checktext": "Verify at least two logging options are configured. It can be any combination of local and/or remote logging.\n\nVia the GUI:\n\nLogin via the FortiGate GUI with super-admin privileges. \n\n- Navigate to Log and Report.\n- Navigate to Log Settings.\n- Verify the FortiGate Local Log disk settings.\n- Verify the Remote and Archiving settings.\n\nor\n\nVia the CLI:\n\nOpen a CLI console via SSH or from the \"CLI Console\" button in the GUI.\n\nRun the following commands to verify which logging settings are enabled:\n\n# show full-configuration log disk setting | grep -i 'status\\|diskfull'\n- The output should indicate enabled.\n\n# show full-configuration log fortianalyzer setting | grep -i 'status\\|server'\n# show full-configuration log fortianalyzer2 setting | grep -i 'status\\|server'\n# show full-configuration log fortianalyzer3 setting | grep -i 'status\\|server'\n# show full-configuration log syslogd setting | grep -i 'status\\|server'\n# show full-configuration log syslogd2 setting | grep -i 'status\\|server'\n# show full-configuration log syslogd3 setting | grep -i 'status\\|server'\n# show full-configuration log syslogd4 setting | grep -i 'status\\|server'\n- The output should indicate enabled and an IP address.\n\nIf the FortiGate is not logging to at least two locations (local and remote OR remote(x2) only), this is a finding.",
"description": "It is critical that when the network element is at risk of failing to process traffic logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode.\n\nIn accordance with DoD policy, the traffic log must be sent to a central audit server. When logging functions are lost, system processing cannot be shut down because firewall availability is an overriding concern given the role of the firewall in the enterprise. The system should either be configured to log events to an alternative server or queue log records locally. Upon restoration of the connection to the central audit server, action should be taken to synchronize the local log data with the central audit server.\n\nIf the central audit server uses User Datagram Protocol (UDP) communications instead of a connection-oriented protocol such as TCP, a method for detecting a lost connection must be implemented.",
"fixid": "F-37290r863250_fix",
"fixtext": "For audit log resilience, it is required to log to the local FortiGate disk and a central audit server, or two central audit servers. To do this, log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Log Settings.\n3. For Local Log setting options, toggle the Disk setting to right.\n\nTo add a syslog server:\n5. For Remote Logging and Archiving, toggle the Send logs to syslog setting and enter the appropriate IP address.\n6. Click Apply to save the settings.\n\nor\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # config log disk setting\n # set status enable\n # set diskfull overwrite\n # end\n # config log syslogd setting\n # set status enable\n # set server {IP Address}\n # set mode reliable\n # end",
"iacontrols": null,
"id": "V-234140",
"ruleID": "SV-234140r863251_rule",
"severity": "medium",
"title": "In the event that communication with the central audit server is lost, the FortiGate firewall must continue to queue traffic log records locally.",
"version": "FNFG-FW-000045"
},
"V-234141": {
"checkid": "C-37326r835163_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privileges.\n\n1. Open a CLI console via SSH or from the GUI widget.\n2. Run the following command:\n # show full-configuration log syslogd setting\nThe output should include:\n set server {123.123.123.123}\n set mode reliable\n set enc-algorithm {medium-high | high}\n\nIf the syslogd mode is not set to reliable, this is a finding.\nIf the set enc-algorithm is not set to high or medium-high, this is a finding.",
"description": "Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or identify an improperly configured firewall. Thus, it is imperative that the collected log data be secured and access be restricted to authorized personnel. Methods of protection may include encryption or logical separation.\n\nThis does not apply to traffic logs generated on behalf of the device itself (management). Some devices store traffic logs separately from the system logs.",
"fixid": "F-37291r835164_fix",
"fixtext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\nFirst, upload the CA certificate that issued the Syslog server certificate.\n1. Click System.\n2. Click Certificates.\n3. Click Import, then CA Certificate.\n4. Specify File, and click + Upload.\n5. Choose the CA Certificate to upload from the local hard drive.\n6. Click OK.\n\nThen, configure a TLS-enabled syslog connection:\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # config log syslogd setting\n # set status enable\n # set server {SYSLOG SERVER IP ADDRESS} \n # set mode reliable\n # set enc-algorithm {HIGH-MEDIUM | HIGH}\n # set certificate (Optional - Select local certificate if Syslog server is challenging client [FortiGate] for authentication)\n # end\n\nNote: The server IP address must be on the site's management network.",
"iacontrols": null,
"id": "V-234141",
"ruleID": "SV-234141r835165_rule",
"severity": "medium",
"title": "The FortiGate firewall must protect traffic log records from unauthorized access while in transit to the central audit server.",
"version": "FNFG-FW-000050"
},
"V-234142": {
"checkid": "C-37327r611424_chk",
"checktext": "Log in to the FortiGate GUI with an administrator that has no Log and Report access.\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n $ config log setting\n\n3. Ensure that the command fails. \n\nIf an Administrator without Log and Report privileges can configure log settings, this is a finding.",
"description": "If audit data were to become compromised, forensic analysis and discovery of the true source of potentially malicious system activity would be impossible to achieve.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This can be achieved through multiple methods, which will depend on system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nThis does not apply to traffic logs generated on behalf of the device itself (management). Traffic logs and Management logs are separate on FortiGate.",
"fixid": "F-37292r611425_fix",
"fixtext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click System.\n2. Click Admin Profiles.\n3. Click +Create New (Admin Profile).\n4. Assign a meaningful name to the Profile.\n5. Set Log and Report access permissions to None.\n6. Click OK to save this Profile.\n\nThen, \n1. Click System.\n2. Click Administrators.\n3. Click the Administrator that is not allowed access to log records.\n4. Assign the Admin Profile that was created above.\n5. Click OK to save.\n\nRepeat this process to remove log access for all Administrators without an organizational need to modify log settings.",
"iacontrols": null,
"id": "V-234142",
"ruleID": "SV-234142r611426_rule",
"severity": "medium",
"title": "The FortiGate firewall must protect the traffic log from unauthorized modification of local log records.",
"version": "FNFG-FW-000055"
},
"V-234143": {
"checkid": "C-37328r611427_chk",
"checktext": "Log in to the FortiGate GUI with an administrator that has no Log and Report access.\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n $ execute log delete\n\n3. Ensure that the command fails.\n\nIf an Administrator without Log and Report privileges can delete locally stored logs, this is a finding.",
"description": "If audit data were to become compromised, forensic analysis and discovery of the true source of potentially malicious system activity would be impossible to achieve.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This can be achieved through multiple methods, which will depend on system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nThis does not apply to traffic logs generated on behalf of the device itself (management). Traffic logs and Management logs are separate on FortiGate.",
"fixid": "F-37293r611428_fix",
"fixtext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click System.\n2. Click Admin Profiles.\n3. Click +Create New (Admin Profile).\n4. Assign a meaningful name to the Profile.\n5. Set Log and Report access permissions to None.\n6. Click OK to save this Profile.\n\nThen, \n1. Click System.\n2. Click Administrators.\n3. Click the Administrator that is not allowed access to log settings.\n4. Assign the Admin Profile that was created above.\n5. Click OK to save.\n\nRepeat this process to remove log access for all Administrators without an organizational need to modify log records.",
"iacontrols": null,
"id": "V-234143",
"ruleID": "SV-234143r611429_rule",
"severity": "high",
"title": "The FortiGate firewall must protect the traffic log from unauthorized deletion of local log files and log records.",
"version": "FNFG-FW-000060"
},
"V-234144": {
"checkid": "C-37329r611430_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # show full-configuration system interface\n3. Review configuration for unnecessary services.\n\nIf unnecessary services are configured, this is a finding.",
"description": "Network devices are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are required to perform the content filtering and other necessary core functionality for each component of the firewall. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nSome services may be security related, but based on the firewall\u2019s role in the architecture, must not be installed on the same hardware. For example, the device may serve as a router, VPN, or other perimeter services. However, if these functions are not part of the documented role of the firewall in the enterprise or branch architecture, the software and licenses must not be installed on the device. This mitigates the risk of exploitation of unconfigured services or services that are not kept updated with security fixes. If left unsecured, these services may provide a threat vector.\n\nSome services are not authorized for combination with the firewall and individual policy must be in place to instruct the administrator to remove these services. Examples of these services are Network Time Protocol (NTP), domain name server (DNS), email server, FTP server, web server, and Dynamic Host Configuration Protocol (DHCP). \n\nOnly remove unauthorized services. This control is not intended to restrict the use of firewalls with multiple authorized roles.",
"fixid": "F-37294r611431_fix",
"fixtext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # config system interface\n # edit {interface-name}\n # get | grep enable\n # get | grep allowaccess\nDisable each service in {} that needs to be removed using:\n # config system interface\n # edit {interface-name}\n # set {service} disable\n # end",
"iacontrols": null,
"id": "V-234144",
"ruleID": "SV-234144r611432_rule",
"severity": "medium",
"title": "The FortiGate firewall must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.",
"version": "FNFG-FW-000065"
},
"V-234145": {
"checkid": "C-37330r611433_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Policy and Objects.\n2. Go to IPv4 DoS Policy.\n3. Verify different DoS policies that include Incoming Interface, Source Address, Destination Address, and Services have been created.\n4. Verify the DoS policies are configured to block L3 and L4 anomalies.\n\nIf the DoS policies are not configured to block the outbound traffic, this is a finding.",
"description": "DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performance. If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users.\n\nInstallation of a firewall at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type.\n\nThe firewall must include protection against DoS attacks that originate from inside the enclave that can affect either internal or external systems. These attacks may use legitimate or rogue endpoints from inside the enclave. These attacks can be simple \"floods\" of traffic to saturate circuits or devices, malware that consumes CPU and memory on a device or causes it to crash, or a configuration issue that disables or impairs the proper function of a device. For example, an accidental or deliberate misconfiguration of a routing table can misdirect traffic for multiple networks.",
"fixid": "F-37295r611434_fix",
"fixtext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Policy and Objects.\n2. Click IPv4 DoS Policy or IPv6 DoS Policy.\n3. Click +Create New.\n4. Select the Incoming Interface.\n5. Select Source and Destination addresses.\n6. Select the Service.\n7. Enable desired L3 and L4 anomalies and thresholds.\n8. Ensure the Enable this policy is toggled to right.\n9. Click OK.\n10. Ensure a policy is created for each interface where there is potential risk of DoS.",
"iacontrols": null,
"id": "V-234145",
"ruleID": "SV-234145r611435_rule",
"severity": "medium",
"title": "The FortiGate firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.",
"version": "FNFG-FW-000070"
},
"V-234146": {
"checkid": "C-37331r611436_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Policy and Objects.\n2. Go to IPv4 DoS Policy.\n3. Verify different DoS policies that include Incoming Interface, Source Address, Destination Address, and Services have been created.\n4. Verify the DoS policies are configured to block L3 and L4 anomalies.\n\nIf the DoS policies are not configured to block excess traffic, this is a finding.",
"description": "A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also have an effect on control keep-alives and timers used for neighbor peering resulting in route flapping and will eventually black hole production traffic.\n\nThe device must be configured to contain and limit a DoS attack's effect on the device's resource utilization. The use of redundant components and load balancing are examples of mitigating \"flood-type\" DoS attacks through increased capacity.",
"fixid": "F-37296r611437_fix",
"fixtext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Policy and Objects.\n2. Click IPv4 DoS Policy or IPv6 DoS Policy.\n3. Click +Create New.\n4. Select the Incoming Interface.\n5. Select Source and Destination addresses.\n6. Select the Service.\n7. Enable desired L3 and L4 anomalies and thresholds.\n8. Ensure the Enable this policy is toggle to right.\n9. Click OK.\n10. Ensure a policy is created for each interface where there is potential risk of DoS.",
"iacontrols": null,
"id": "V-234146",
"ruleID": "SV-234146r611438_rule",
"severity": "medium",
"title": "The FortiGate firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.",
"version": "FNFG-FW-000075"
},
"V-234147": {
"checkid": "C-37332r611439_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # show firewall policy\n # show firewall policy6\n\nEnsure policies are created that only allow approved traffic that is in accordance with the PPSM CAL and VAs for the enclave. \n\nIf configured policies allow traffic that is not allowed per the PPSM CAL and VAs for the enclave, this is a finding.",
"description": "The enclave's internal network contains the servers where mission-critical data and applications reside. Malicious traffic can enter from an external boundary or originate from a compromised host internally.\n\nVulnerability assessments must be reviewed by the SA and protocols must be approved by the IA staff before entering the enclave. \n\nFirewall filters (e.g., rules, access control lists [ACLs], screens, and policies) are the first line of defense in a layered security approach. They permit authorized packets and deny unauthorized packets based on port or service type. They enhance the posture of the network by not allowing packets to even reach a potential target within the security domain. The filters provided are highly susceptible ports and services that should be blocked or limited as much as possible without adversely affecting customer requirements. Auditing packets attempting to penetrate the network but stopped by the firewall filters will allow network administrators to broaden their protective ring and more tightly define the scope of operation. \n\nIf the perimeter is in a deny-by-default posture and what is allowed through the filter is in accordance with the PPSM CAL and VAs for the enclave, and if the permit rule is explicitly defined with explicit ports and protocols allowed, then all requirements related to the database being blocked would be satisfied.",
"fixid": "F-37297r611440_fix",
"fixtext": "Log in to the FortiGate GUI with Super-Admin privilege.\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Click +Create New.\n4. Name the policy, select Incoming and Outgoing Interfaces.\n5. Create policies with authorized sources and destinations.\n6. Set action to ACCEPT.\n7. Ensure the Enable this policy is toggled to right.\n8. Click OK.\n9. Ensure a policy is created for each interface.\n\nTraffic is denied by default and policies must be configured to allow traffic that meets PPSM CAL and VA guidelines.",
"iacontrols": null,
"id": "V-234147",
"ruleID": "SV-234147r628789_rule",
"severity": "medium",
"title": "The FortiGate firewall must filter traffic destined to the internal enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL), Vulnerability Assessments (VAs) for that the enclave.",
"version": "FNFG-FW-000085"
},
"V-234148": {
"checkid": "C-37333r611442_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # show ips global | grep -i fail-open\n # show system global | grep -i failopen\n\nIf ips fail-open is set to enable or av-failopen is not set to off or av-failopen-session is not set to disable, this is a finding.",
"description": "Firewalls that fail suddenly and with no incorporated failure state planning may leave the hosting system available but with a reduced security protection. Failure to a known safe state helps prevent systems from failing to a state that may cause unauthorized access to make changes to the firewall filtering functions. \n\nThis applies to the configuration of the gateway or network traffic security function of the device. Abort refers to stopping the firewall filtering function before it has finished naturally. The term abort refers to both requested and unexpected terminations.",
"fixid": "F-37298r611443_fix",
"fixtext": "FortiGate will inherently fail closed upon a power failure. Additionally, the FortiOS kernel enters conserve mode when memory use reaches the red threshold (default 88 percent memory use). When the red threshold is reached, FortiOS functions that react to conserve mode, such as the antivirus transparent proxy, apply conserve mode based on configured conserve mode settings. Additionally, FortiOS generates conserve mode log messages and SNMP traps, and a conserve mode banner appears on the GUI. If memory use reaches the extreme threshold (95 percent memory used), new sessions are dropped and red threshold conserve mode actions continue.\n\nConserve mode actions for filtering are configured as follows:\n\nLog in to the FortiGate GUI with Super-Admin privilege.\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # config ips global\n # set fail-open disable\n # end\n # config system global\n # set av-failopen off\n # set av-failopen-session disable\n # end",
"iacontrols": null,
"id": "V-234148",
"ruleID": "SV-234148r611444_rule",
"severity": "medium",
"title": "The FortiGate firewall must fail to a secure state if the firewall filtering functions fail unexpectedly.",
"version": "FNFG-FW-000090"
},
"V-234149": {
"checkid": "C-37334r611445_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Log Settings.\n3. Under Remote Logging and Archiving, verify FortiAnalyzer and/or syslog settings are enabled and configured with IP addresses of central FortiAnalyzer or Syslog server(s).\n\nor\n\nLog in to the FortiGate GUI with Super-Admin privilege.\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # show full-configuration log syslogd setting | grep -i status\n Check output for: \n set status enable\n3. Run the following command:\n # show full-configuration log fortianalyzer setting | grep -i status\n check output for: \n set status enable\n\nIf the FortiGate is not configured to send traffic logs to a central audit server, this is a finding.",
"description": "Without the ability to centrally manage the content captured in the traffic log entries, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.\n\nThe DoD requires centralized management of all network component audit record content. Network components requiring centralized traffic log management must have the ability to support centralized management. The content captured in traffic log entries must be managed from a central location (necessitating automation). Centralized management of traffic log records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. \n\nEnsure at least one syslog server is configured on the firewall.\n\nIf the product inherently has the ability to store log records locally, the local log must also be secured. However, this requirement is not met since it calls for a use of a central audit server.",
"fixid": "F-37299r835166_fix",
"fixtext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Log Settings.\n3. Go to Remote Logging and Archiving.\n\nIf using FortiAnalyzer:\n4. Toggle Send logs to FortiAnalyzer/FortiManager to the right.\n5. Configure FortiAnalyzer/FortiManager with designated IP address.\n6. Configure Upload Option, SSL encrypt log transmission and Allow access to FortiGate REST API per the organizational requirement.\n\nIf using a central syslog server:\n7. Toggle Send logs to syslog to the right.\n8. Configure syslog settings with designated IP Address/FQDN.\n9. Click Apply.\n\nor\n\nLog in to the FortiGate GUI with Super-Admin privilege.\n\nOpen a CLI console, via SSH or available from the GUI.\n\nIf using FortiAnalyzer, run the following command:\n # config log fortianalyzer setting\n # set status enable\n # set server {IP address}\n # end\n\nIf using central syslog Server, run the following command:\n # config log syslogd setting\n # set status enable\n # set server {IP address}\n # end",
"iacontrols": null,
"id": "V-234149",
"ruleID": "SV-234149r863248_rule",
"severity": "medium",
"title": "The FortiGate firewall must send traffic log entries to a central audit server for management and configuration of the traffic log entries.",
"version": "FNFG-FW-000100"
},
"V-234150": {
"checkid": "C-37335r611448_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Security Fabric.\n2. Click Automation.\n3. Verify Automation Stitches are configured to send alerts related to loss of communication with the central audit server.\n4. For each Automation Stitch, verify a valid Action Email has been configured.\n\nIf there are no organization-specific Automation Stitches defined to trigger on loss of communication with the central audit server, this is a finding.",
"description": "Without a real-time alert (less than a second), security personnel may be unaware of an impending failure of the audit functions and system operation may be adversely impacted. Alerts provide organizations with urgent messages. Automated alerts can be conveyed in a variety of ways, including via a regularly monitored console, telephonically, via electronic mail, via text message, or via websites.\n\nLog processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. Most firewalls use UDP to send audit records to the server and cannot tell if the server has received the transmission, thus the site must either implement a connection-oriented communications solution (e.g., TCP) or implement a heartbeat with the central audit server and send an alert if it is unreachable.",
"fixid": "F-37300r611449_fix",
"fixtext": "To create real-time alerts when FortiAnalyzer is the central audit server, log in to the FortiGate GUI with Super-Admin privilege. If not using FortiAnalyzer, skip ahead to the central log server steps. \n\n1. Click Security Fabric.\n2. Click Automation.\n3. Click +Create New (Automation Stitch).\n4. For Trigger, select FortiOS Event Log.\n5. For Event field, Click + (and choose a specific event type).\n6. For Action, select Email, specify recipients, and Email subject.\n7. Click OK.\n\nThe following are all relevant Event Log entries for loss of communication with the central audit server. For most complete coverage, configure an Automation Stitch for each of the Event Log entries below:\n\n-FortiAnalyzer connection down\n-FortiAnalyzer connection failed\n-FortiAnalyzer log access failed\n-Log Upload Error\n\nTo create real-time alerts when using a syslog server as the central audit server, log in to the FortiGate GUI with Super-Admin privilege.\n\nTo ensure Feature visibility: \n1. Click System.\n2. Click Feature Visibility.\n3. Under Additional Features, toggle the switch to enable Load Balance.\n4. Click Apply.\n\nTo configure the alert: \n1. Click Policies & Objects.\n2. Click Health Check.\n3. Click +Create New.\n4. Name the Health Check.\n5. For Type, select TCP.\n6. For Interval, type {5}.\n7. For Timeout, type {1}.\n8. For Retry, type {1}.\n9. For Port, type {514}.\n10. Click OK.\n11. Click Virtual Servers.\n12. Click +Create New.\n13. Name the Virtual Server.\n14. For Type, select TCP.\n15. For Interface, select any unused internal interface.\n16. For Virtual Server IP, type any unused IP.\n17. For Virtual Server Port, type {514}.\n18. For Health Check, select the Health Check that was created in steps 1-10.\n19. In Real Servers, click +Create New.\n20. In New Real Server IP Address, type the IP address of the syslog server.\n21. For port, type {514}.\n22. Click OK to close New Real Server window.\n23. Click OK to close Edit Virtual Server.\n24. Click Security Fabric.\n25. Click Automation.\n26. Click +Create New (Automation Stitch).\n27. For Trigger, select FortiOS Event Log.\n28. For Event field, click + and choose \"VIP real server down\".\n29. For Action, select Email, specify recipients, and Email subject.\n30. Click OK.",
"iacontrols": null,
"id": "V-234150",
"ruleID": "SV-234150r852960_rule",
"severity": "medium",
"title": "If communication with the central audit server is lost, the FortiGate firewall must generate a real-time alert to, at a minimum, the SCA and ISSO.",
"version": "FNFG-FW-000105"
},
"V-234151": {
"checkid": "C-37336r611451_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Policy and Objects.\n2. Click IPv4 DoS Policy.\n3. Verify different DoS policies that include Incoming Interface, Source Address, Destination Address, and Services have been created.\n4. Double-.click on each policy.\n5. Verify the DS policies are configured with appropriate thresholds for L3 and L4 anomalies.\n\nIf the DoS policies are not configured to filter packets associated with flooding, packet sweeps, and unauthorized port scanning, this is a finding.",
"description": "Not configuring a key boundary security protection device such as the firewall against commonly known attacks is an immediate threat to the protected enclave because they are easily implemented by those with little skill. Directions for the attack are obtainable on the internet and in hacker groups. Without filtering enabled for these attacks, the firewall will allow these attacks beyond the protected boundary.\n\nConfigure the perimeter and internal boundary firewall to guard against the three general methods of well-known DoS attacks: flooding attacks, protocol sweeping attacks, and unauthorized port scanning.\n\nFlood attacks occur when the host receives too much traffic to buffer and slows down or crashes. Popular flood attacks include ICMP flood and SYN flood. A TCP flood attack of SYN packets initiating connection requests can overwhelm the device until it can no longer process legitimate connection requests, resulting in DoS. An ICMP flood can overload the device with so many echo requests (ping requests) that it expends all its resources responding and can no longer process valid network traffic, also resulting in DoS. An attacker might use session table floods and SYN-ACK-ACK proxy floods to fill up the session table of a host.\n\nIn an IP address sweep attack, an attacker sends ICMP echo requests (pings) to multiple destination addresses. If a target host replies, the reply reveals the target\u2019s IP address to the attacker. In a TCP sweep attack, an attacker sends TCP SYN packets to the target device as part of the TCP handshake. If the device responds to those packets, the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack. In a UDP sweep attack, an attacker sends UDP packets to the target device. If the device responds to those packets, the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack.\n\nIn a port scanning attack, an unauthorized application is used to scan the host devices for available services and open ports for subsequent use in an attack. This type of scanning can be used as a DoS attack when the probing packets are sent excessively.",
"fixid": "F-37301r611452_fix",
"fixtext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Policy and Objects.\n2. Click IPv4 DoS Policy or IPv6 DoS Policy.\n3. Click +Create New.\n4. Configure DoS policies that include Incoming Interface, Source Address, Destination Address, and Services.\n5. Configure Action and Threshold for L3 and L4 anomalies per site policies.\n6. Click OK.",
"iacontrols": null,
"id": "V-234151",
"ruleID": "SV-234151r852961_rule",
"severity": "high",
"title": "The FortiGate firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.",
"version": "FNFG-FW-000110"
},
"V-234152": {
"checkid": "C-37337r611454_chk",
"checktext": "Log in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.\n\n1. Click the Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Verify the policies are configured for all Interfaces.\n4. Verify the polices are configured with Action set either to DENY or ACCEPT based on the organizational requirement.\n\nIf a Firewall Policy is not applied to all interfaces, this is a finding.",
"description": "Unrestricted traffic to the trusted networks may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nFirewall filters control the flow of network traffic and ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the internet) must be kept separated.",
"fixid": "F-37302r611455_fix",
"fixtext": "Log in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.\n\n1. Click the Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Click +Create New.\n4. Name the policy, select Incoming and Outgoing Interfaces.\n5. Create the policies with authorized sources and destinations.\n6. Create the policies with Action set to either DENY or ACCEPT.\n7. Ensure the Enable this policy is toggled to right.\n8. Click OK.\n9. Ensure a policy is created for each interface.",
"iacontrols": null,
"id": "V-234152",
"ruleID": "SV-234152r852962_rule",
"severity": "medium",
"title": "The FortiGate firewall must apply ingress filters to traffic that is inbound to the network through any active external interface.",
"version": "FNFG-FW-000115"
},
"V-234153": {
"checkid": "C-37338r611457_chk",
"checktext": "Log in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.\n\n1. Click the Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Verify the policies are configured for each Outgoing Interface.\n4. Verify polices are configured with Action set either to DENY or ACCEPT based on the organizational requirement.\n\nIf the Firewall Policies are not applied to all outbound interfaces, this is a finding.",
"description": "If outbound communications traffic is not filtered, hostile activity intended to harm other networks or packets from networks destined to unauthorized networks may not be detected and prevented.\n\nAccess control policies and access control lists implemented on devices, such as firewalls, that control the flow of network traffic ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the internet) must be kept separated.\n\nThis requirement addresses the binding of the egress filter to the interface/zone rather than the content of the egress filter.",
"fixid": "F-37303r611458_fix",
"fixtext": "Log in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.\n\n1. Click the Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Click +Create New.\n4. Name the policy and select Incoming and Outgoing Interfaces.\n5. Create the policies with authorized sources and destinations.\n6. Create the policies with Action set to either DENY or ACCEPT.\n7. Ensure the Enable this policy is toggled to right.\n8. Click OK.",
"iacontrols": null,
"id": "V-234153",
"ruleID": "SV-234153r852963_rule",
"severity": "medium",
"title": "The FortiGate firewall must apply egress filters to traffic outbound from the network through any internal interface.",
"version": "FNFG-FW-000120"
},
"V-234154": {
"checkid": "C-37339r611460_chk",
"checktext": "If FortiGate is not employed as a premise firewall, this requirement is Not Applicable.\n\nLog in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Verify there are Policies in which the Incoming Interface is the Management Network, and the Outgoing Interface is an EGRESS interface.\n4. Verify these polices are configured with Action set to DENY.\n\nIf there are not DENY Policies where the Incoming Interface is the Management Network, and the Outgoing Interface is an EGRESS interface, this is a finding.",
"description": "The management network must still have its own subnet in order to enforce control and access boundaries provided by layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. \n\nSafeguards must be implemented to ensure the management traffic does not leak past the managed network's premise equipment. If a firewall is located behind the premise router, all management traffic must be blocked at that point, with the exception of management traffic destined to premise equipment.",
"fixid": "F-37304r852964_fix",
"fixtext": "Log in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Click +Create New.\n4. Name the policy.\n5. For the Incoming Interface, select the interface related to the Management Network.\n6. For the Outgoing Interface, select an EGRESS interface.\n7. For the Source, select the Management Network IP range.\n8. For the Destination and Service, select ALL.\n9. Configure the Policy Action to DENY.\n10. Ensure the Enable this policy is toggled to right.\n11. Click OK.\n\nRepeat these steps for each EGRESS interface.",
"iacontrols": null,
"id": "V-234154",
"ruleID": "SV-234154r852965_rule",
"severity": "medium",
"title": "When employed as a premise firewall, FortiGate must block all outbound management traffic.",
"version": "FNFG-FW-000125"
},
"V-234155": {
"checkid": "C-37340r611463_chk",
"checktext": "If FortiGate is not configured to support VPN access, this requirement is Not Applicable.\n\nLog in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Verify there are Policies where the Incoming Interface is a management-related VPN Tunnel interface, and the Outgoing Interface is the Management Network interface.\n4. Verify such policies with Action IPSEC meet organization requirements to only allow connectivity to specific, authorized Management Network hosts and ensure that traffic is encrypted through the IPsec tunnel.\n5. Verify at least one of these polices are configured with Action set to DENY.\n\nIf there are not DENY Policies in which the Incoming Interface is a management-related VPN Tunnel interface, and the Outgoing Interface is the Management Network interface, this is a finding.\n\nIf there are no IPSEC Policies for which the Incoming Interface is a management-related VPN Tunnel interface, and the Outgoing Interface is the Management Network interface that meets organization requirements, this is a finding.",
"description": "Protect the management network with a filtering firewall configured to block unauthorized traffic. This requirement is similar to the out-of-band management (OOBM) model, in which the production network is managed in-band. The management network could also be housed at a Network Operations Center (NOC) that is located locally or remotely at a single or multiple interconnected sites. \n\nNOC interconnectivity, as well as connectivity between the NOC and the managed networks\u2019 premise routers, would be enabled using either provisioned circuits or VPN technologies such as IPsec tunnels or MPLS VPN services.",
"fixid": "F-37305r611464_fix",
"fixtext": "Log in to the FortiGate GUI with Super- or Firewall Policy-Admin privilege.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Click +Create New.\n4. Name the policy.\n5. For the Incoming Interface, select the tunnel from which a host is connecting to the management network.\n6. For the Outgoing Interface, select the interface connected to the management network.\n7. For the Source, select the address object or group of authorized management hosts.\n8. For the Destination, select assets in the management network, and approved Network Services.\n9. Configure the Policy Action to Accept.\n10. Ensure Enable this policy is toggled to right.\n11. Click OK.\n\nRepeat these steps for each Management Network host and associated Service.",
"iacontrols": null,
"id": "V-234155",
"ruleID": "SV-234155r852966_rule",
"severity": "medium",
"title": "The FortiGate firewall must restrict traffic entering the VPN tunnels to the management network to only the authorized management packets based on destination address.",
"version": "FNFG-FW-000130"
},
"V-234156": {
"checkid": "C-37341r611466_chk",
"checktext": "Log in to the FortiGate CLI with Super-Admin privilege, and then run the command:\n# show system session-helper.\n\nReview the output and ensure it matches the following:\nconfig system session-helper\n edit 1\n set name pptp\n set protocol 6\n set port 1723\n next\n edit 2\n set name h323\n set protocol 6\n set port 1720\n next\n edit 3\n set name ras\n set protocol 17\n set port 1719\n next\n edit 4\n set name tns\n set protocol 6\n set port 1521\n next\n edit 5\n set name tftp\n set protocol 17\n set port 69\n next\n edit 6\n set name rtsp\n set protocol 6\n set port 554\n next\n edit 7\n set name rtsp\n set protocol 6\n set port 7070\n next\n edit 8\n set name rtsp\n set protocol 6\n set port 8554\n next\n edit 9\n set name ftp\n set protocol 6\n set port 21\n next\n edit 10\n set name mms\n set protocol 6\n set port 1863\n next\n edit 11\n set name pmap\n set protocol 6\n set port 111\n next\n edit 12\n set name pmap\n set protocol 17\n set port 111\n next\n edit 13\n set name sip\n set protocol 17\n set port 5060\n next\n edit 14\n set name dns-udp\n set protocol 17\n set port 53\n next\n edit 15\n set name rsh\n set protocol 6\n set port 514\n next\n edit 16\n set name rsh\n set protocol 6\n set port 512\n next\n edit 17\n set name dcerpc\n set protocol 6\n set port 135\n next\n edit 18\n set name dcerpc\n set protocol 17\n set port 135\n next\n edit 19\n set name mgcp\n set protocol 17\n set port 2427\n next\n edit 20\n set name mgcp\n set protocol 17\n set port 2727\n next\nend\n\nIf the output does not match, this is a finding.",
"description": "Application inspection enables the firewall to control traffic based on different parameters that exist within the packets such as enforcing application-specific message and field length. Inspection provides improved protection against application-based attacks by restricting the types of commands allowed for the applications. Application inspection enforces conformance against published RFCs.\n\nSome applications embed an IP address in the packet that needs to match the source address that is normally translated when it goes through the firewall. Enabling application inspection for a service that embeds IP addresses, the firewall translates embedded addresses and updates any checksum or other fields that are affected by the translation. Enabling application inspection for a service that uses dynamically assigned ports, the firewall monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session.",
"fixid": "F-37306r611467_fix",
"fixtext": "Fix can be performed on FortiGate CLI. For any modified or missing session-helpers, log in to the FortiGate console via SSH or console access and run the following commands:\n\n # config system session-helper\n # edit {integer}\n # set name {name of protocol}\n # set protocol {protocol number}\n # set port {port number}\n # next\n # end",
"iacontrols": null,
"id": "V-234156",
"ruleID": "SV-234156r611468_rule",
"severity": "medium",
"title": "The FortiGate firewall must be configured to inspect all inbound and outbound traffic at the application layer.",
"version": "FNFG-FW-000135"
},
"V-234157": {
"checkid": "C-37342r611469_chk",
"checktext": "The FortiGate has RPF enabled by default, but it can be disabled for IPv4, IPv4 ICMP, IPv6, and IPv6-ICMP with the \"set asymroute enable\" commands. Log in to the FortiGate CLI with Super-Admin privilege, and then run the command:\n# get system settings | grep asymroute\n\nUnless this device is intentionally setup for asymmetric routing, if any of the settings are set to \"enable\" this is a finding.",
"description": "A compromised host in an enclave can be used by a malicious platform to launch cyberattacks on third parties. This is a common practice in \"botnets\", which are a collection of compromised computers using malware to attack other computers or networks. Denial-of-Service (DoS) attacks frequently leverage IP source address spoofing to send packets to multiple hosts that, in turn, send return traffic to the hosts with the forged IP addresses. This can generate significant amounts of traffic. Therefore, protection measures to counteract IP source address spoofing must be taken. When uRPF is enabled in strict mode, the packet must be received on the interface that the device would use to forward the return packet, thereby mitigating IP source address spoofing.",
"fixid": "F-37307r611470_fix",
"fixtext": "This fix can be performed via the CLI of the FortiGate.\n\n1. Open a CLI console via SSH or from the GUI.\n2. Run the following commands:\n # config system settings\n # set asymroute disable\n # set asymroute-icmp disable\n # set asymroute6 disable\n # set asymroute6-icmp disable\n # end",
"iacontrols": null,
"id": "V-234157",
"ruleID": "SV-234157r611471_rule",
"severity": "medium",
"title": "The FortiGate firewall must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).",
"version": "FNFG-FW-000145"
},
"V-234158": {
"checkid": "C-37343r611472_chk",
"checktext": "The firewall must be configured to send events to a syslog server. Anomaly events, such as a DoS attack are sent with a severity of critical. The syslog server will notify the ISSO and ISSM. To verify the syslog configuration, log in to the FortiGate GUI with Super-Admin privileges.\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # show full-configuration log syslogd setting | grep -i 'mode\\|server' \nThe output should be: \n set server {123.123.123.123}\n set mode reliable\n\nTo ensure a secure connection, a certificate must be loaded, encryption enabled, and the SSL version set. To verify, while still in the CLI, run the following command:\n # get log syslogd setting\nCheck for the following:\n set enc-algorithm {MEDIUM-HIGH | HIGH}\n set certificate\n\nIf the syslogd is not configured to send logs to a central syslog server, this is a finding.",
"description": "Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information.\n\nThe firewall generates an alert that notifies designated personnel of the Indicators of Compromise (IOCs), which require real-time alerts. These messages should include a severity-level indicator or code as an indicator of the criticality of the incident. These indicators reflect the occurrence of a compromise or a potential compromise.\n\nSince these incidents require immediate action, these messages are assigned a critical or level 1 priority/severity, depending on the system's priority schema.\n\nCJCSM 6510.01B, \"Cyber Incident Handling Program\", lists nine Cyber Incident and Reportable Event Categories. DoD has determined that categories identified by CJCSM 6510.01B Major Indicators (category 1, 2, 4, or 7 detection events) will require an alert when an event is detected.\n\nAlerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The firewall must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.",
"fixid": "F-37308r611473_fix",
"fixtext": "Syslog server is used to send alerts for DoS incidents. To enable syslog, log in to the FortiGate GUI with Super-Admin privileges.\n\n1. Open a CLI console, via SSH or available from the GUI.\n2. Run the following command:\n # config log syslogd setting\n # set status enable\n # set server {IP address of site syslog server}\n # set mode {reliable}\n # set enc-algorithm {high-medium | high}\n # set port {server listen port}\n # set facility syslog\n # set source-ip {source IP address}\n # set max-log-rate {value between 1 and 100000}\n # set certificate {certificate string}\n # end",
"iacontrols": null,
"id": "V-234158",
"ruleID": "SV-234158r852967_rule",
"severity": "low",
"title": "The FortiGate firewall must generate an alert that can be forwarded to, at a minimum, the Information System Security Officer (ISSO) and Information System Security Manager (ISSM) when denial-of-service (DoS) incidents are detected.",
"version": "FNFG-FW-000150"
},
"V-234159": {
"checkid": "C-37344r611475_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Network.\n2. Click Packet Capture.\n3. Verify different Packet Capture Filters are configured and that capture packets based on interface, host, VLAN, or protocol.\n\nIf FortiGate does not allow an authorized administrator to capture packets based on interface, host, VLAN, or protocol, this is a finding.",
"description": "Without the ability to capture, record, and log content related to a user session, investigations into suspicious user activity would be hampered.\n\nThis configuration ensures the ability to select specific sessions to capture in order to support general auditing/incident investigation or to validate suspected misuse.",
"fixid": "F-37309r611476_fix",
"fixtext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\nCreate a Packet Capture Filter \n1. Click Network.\n2. Click Packet Capture.\n3. Click +Create New.\n4. Select an interface from the drop down menu.\n5. Specify the maximum number of packets to capture.\n6. Enable Filters to configure filtering based upon Host (addresses), Port, VLAN, or Protocol.\n7. Click OK.\n\nThen, \n1. Select a packet filter from the list of packet capture filters.\n2. Right-click on the selected filter.\n3. Click Start.\n4. Click OK.\nThe packet capture continues until either the configured number of packets is reached, or the administrator stops the packet capture. The administrator must download the packet capture for viewing with an external application, like Wireshark or tcpdump.",
"iacontrols": null,
"id": "V-234159",
"ruleID": "SV-234159r611477_rule",
"severity": "medium",
"title": "The FortiGate firewall must allow authorized users to record a packet-capture-based IP, traffic type (TCP, UDP, or ICMP), or protocol.",
"version": "FNFG-FW-000155"
},
"V-234160": {
"checkid": "C-37345r611478_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Log Settings.\n3. Verify the Log Settings for Event Logging is configured to ALL.\n\nIn addition to System log settings, verify that individual firewall policies are configured with the most suitable Logging Options.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Verify all Policy rules are configured with Logging Options set to Log All Sessions (for most verbose logging).\n4. Verify the Implicit Deny Policy is configured to Log Violation Traffic.\n\nIf the Traffic Log setting is not configured to ALL, and the Implicit Deny Policies are not configured to LOG VIOLATION TRAFFIC, this is a finding.",
"description": "Without generating log records that log usage of objects by subjects and other objects, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nSecurity objects are data objects that are controlled by security policy and bound to security attributes.\n\nThe firewall must not forward traffic unless it is explicitly permitted via security policy. Logging for firewall security-related sources such as screens and security policies must be configured separately. To ensure security objects such as firewall filters (i.e., rules, access control lists [ACLs], screens, and policies) send events to a syslog server and local logs, security logging must be configured on each firewall term.",
"fixid": "F-37310r611479_fix",
"fixtext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Log Settings.\n3. Configure the Log Settings for Forward Traffic Log to ALL.\n4. Click Apply.\n\nIn addition to these log settings, configure individual firewall policies with the most suitable Logging Options.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. For each policy, configure Logging Options for Log Allowed Traffic to log All Sessions (for most verbose logging).\n4. Ensure the Enable this policy is toggled to right.\n5. Configure the Implicit Deny Policy to Log Violation Traffic.\n6. Click OK.",
"iacontrols": null,
"id": "V-234160",
"ruleID": "SV-234160r611480_rule",
"severity": "medium",
"title": "The FortiGate firewall must generate traffic log records when traffic is denied, restricted, or discarded.",
"version": "FNFG-FW-000160"
},
"V-234161": {
"checkid": "C-37346r611481_chk",
"checktext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Log Settings.\n3. Verify the Log Settings for Event Logging and Local Traffic Log are configured to ALL.\n\nIn addition to System log settings, verify individual firewall policies are configured with the most suitable Logging Options.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Verify all Policy rules are configured with Logging Options set to Log All Sessions (for most verbose logging).\n4. Verify the Implicit Deny Policy is configured to Log Violation Traffic.\n\nIf the Traffic Log setting is not configured to ALL, and the Implicit Deny Policies are not configured to LOG VIOLATION TRAFFIC, this is a finding.",
"description": "Without generating log records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAccess for different security levels maintains separation between resources (particularly stored data) of different security domains.\n\nThe firewall can be configured to use security zones configured with different security policies based on risk and trust levels. These zones can be leveraged to prevent traffic from one zone from sending packets to another zone. For example, information from certain IP sources will be rejected if the destination matches specified security zones that are not authorized.",
"fixid": "F-37311r611482_fix",
"fixtext": "Log in to the FortiGate GUI with Super-Admin privilege.\n\n1. Click Log and Report.\n2. Click Log Settings.\n3. Configure the Log Settings for Local Traffic Log to ALL.\n4. Click Apply.\n\nIn addition to these log settings, configure individual firewall policies with the most suitable Logging Options.\n\n1. Click Policy and Objects.\n2. Click IPv4 or IPv6 Policy.\n3. Click +Create New to configure organization specific policies, with Action set to DENY.\n4. Configure Logging Options to log All Sessions (for most verbose logging).\n5. Ensure Enable this policy is toggled to right.\n6. Click Implicit Deny Policy.\n7. Click Edit.\n8. Select Log Violation Traffic.\n9. Click OK.",
"iacontrols": null,
"id": "V-234161",
"ruleID": "SV-234161r611483_rule",
"severity": "medium",
"title": "The FortiGate firewall must generate traffic log records when attempts are made to send packets between security zones that are not authorized to communicate.",
"version": "FNFG-FW-000165"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-234133": "true",
"V-234134": "true",
"V-234135": "true",
"V-234136": "true",
"V-234137": "true",
"V-234138": "true",
"V-234139": "true",
"V-234140": "true",
"V-234141": "true",
"V-234142": "true",
"V-234143": "true",
"V-234144": "true",
"V-234145": "true",
"V-234146": "true",
"V-234147": "true",
"V-234148": "true",
"V-234149": "true",
"V-234150": "true",
"V-234151": "true",
"V-234152": "true",
"V-234153": "true",
"V-234154": "true",
"V-234155": "true",
"V-234156": "true",
"V-234157": "true",
"V-234158": "true",
"V-234159": "true",
"V-234160": "true",
"V-234161": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-234133": "true",
"V-234134": "true",
"V-234135": "true",
"V-234136": "true",
"V-234137": "true",
"V-234138": "true",
"V-234139": "true",
"V-234140": "true",
"V-234141": "true",
"V-234142": "true",
"V-234143": "true",
"V-234144": "true",
"V-234145": "true",
"V-234146": "true",
"V-234147": "true",
"V-234148": "true",
"V-234149": "true",
"V-234150": "true",
"V-234151": "true",
"V-234152": "true",
"V-234153": "true",
"V-234154": "true",
"V-234155": "true",
"V-234156": "true",
"V-234157": "true",
"V-234158": "true",
"V-234159": "true",
"V-234160": "true",
"V-234161": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-234133": "true",
"V-234134": "true",
"V-234135": "true",
"V-234136": "true",
"V-234137": "true",
"V-234138": "true",
"V-234139": "true",
"V-234140": "true",
"V-234141": "true",
"V-234142": "true",
"V-234143": "true",
"V-234144": "true",
"V-234145": "true",
"V-234146": "true",
"V-234147": "true",
"V-234148": "true",
"V-234149": "true",
"V-234150": "true",
"V-234151": "true",
"V-234152": "true",
"V-234153": "true",
"V-234154": "true",
"V-234155": "true",
"V-234156": "true",
"V-234157": "true",
"V-234158": "true",
"V-234159": "true",
"V-234160": "true",
"V-234161": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-234133": "true",
"V-234134": "true",
"V-234135": "true",
"V-234136": "true",
"V-234137": "true",
"V-234138": "true",
"V-234139": "true",
"V-234140": "true",
"V-234141": "true",
"V-234142": "true",
"V-234143": "true",
"V-234144": "true",
"V-234145": "true",
"V-234146": "true",
"V-234147": "true",
"V-234148": "true",
"V-234149": "true",
"V-234150": "true",
"V-234151": "true",
"V-234152": "true",
"V-234153": "true",
"V-234154": "true",
"V-234155": "true",
"V-234156": "true",
"V-234157": "true",
"V-234158": "true",
"V-234159": "true",
"V-234160": "true",
"V-234161": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-234133": "true",
"V-234134": "true",
"V-234135": "true",
"V-234136": "true",
"V-234137": "true",
"V-234138": "true",
"V-234139": "true",
"V-234140": "true",
"V-234141": "true",
"V-234142": "true",
"V-234143": "true",
"V-234144": "true",
"V-234145": "true",
"V-234146": "true",
"V-234147": "true",
"V-234148": "true",
"V-234149": "true",
"V-234150": "true",
"V-234151": "true",
"V-234152": "true",
"V-234153": "true",
"V-234154": "true",
"V-234155": "true",
"V-234156": "true",
"V-234157": "true",
"V-234158": "true",
"V-234159": "true",
"V-234160": "true",
"V-234161": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-234133": "true",
"V-234134": "true",
"V-234135": "true",
"V-234136": "true",
"V-234137": "true",
"V-234138": "true",
"V-234139": "true",
"V-234140": "true",
"V-234141": "true",
"V-234142": "true",
"V-234143": "true",
"V-234144": "true",
"V-234145": "true",
"V-234146": "true",
"V-234147": "true",
"V-234148": "true",
"V-234149": "true",
"V-234150": "true",
"V-234151": "true",
"V-234152": "true",
"V-234153": "true",
"V-234154": "true",
"V-234155": "true",
"V-234156": "true",
"V-234157": "true",
"V-234158": "true",
"V-234159": "true",
"V-234160": "true",
"V-234161": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-234133": "true",
"V-234134": "true",
"V-234135": "true",
"V-234136": "true",
"V-234137": "true",
"V-234138": "true",
"V-234139": "true",
"V-234140": "true",
"V-234141": "true",
"V-234142": "true",
"V-234143": "true",
"V-234144": "true",
"V-234145": "true",
"V-234146": "true",
"V-234147": "true",
"V-234148": "true",
"V-234149": "true",
"V-234150": "true",
"V-234151": "true",
"V-234152": "true",
"V-234153": "true",
"V-234154": "true",
"V-234155": "true",
"V-234156": "true",
"V-234157": "true",
"V-234158": "true",
"V-234159": "true",
"V-234160": "true",
"V-234161": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-234133": "true",
"V-234134": "true",
"V-234135": "true",
"V-234136": "true",
"V-234137": "true",
"V-234138": "true",
"V-234139": "true",
"V-234140": "true",
"V-234141": "true",
"V-234142": "true",
"V-234143": "true",
"V-234144": "true",
"V-234145": "true",
"V-234146": "true",
"V-234147": "true",
"V-234148": "true",
"V-234149": "true",
"V-234150": "true",
"V-234151": "true",
"V-234152": "true",
"V-234153": "true",
"V-234154": "true",
"V-234155": "true",
"V-234156": "true",
"V-234157": "true",
"V-234158": "true",
"V-234159": "true",
"V-234160": "true",
"V-234161": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-234133": "true",
"V-234134": "true",
"V-234135": "true",
"V-234136": "true",
"V-234137": "true",
"V-234138": "true",
"V-234139": "true",
"V-234140": "true",
"V-234141": "true",
"V-234142": "true",
"V-234143": "true",
"V-234144": "true",
"V-234145": "true",
"V-234146": "true",
"V-234147": "true",
"V-234148": "true",
"V-234149": "true",
"V-234150": "true",
"V-234151": "true",
"V-234152": "true",
"V-234153": "true",
"V-234154": "true",
"V-234155": "true",
"V-234156": "true",
"V-234157": "true",
"V-234158": "true",
"V-234159": "true",
"V-234160": "true",
"V-234161": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "fortinet_fortigate_firewall",
"title": "Fortinet FortiGate Firewall Security Technical Implementation Guide",
"version": "1"
}
}