By Guest Author • Sep 21, 2018

Using a Fortinet FortiGate as Reverse Proxy for PRTG: All the Config You Need

My name is Florian Thiele and I'm an IT Security Architect. I have been working with FortiGate firewalls and PRTG for 10 years, and I want to share some useful information about how to securely publish your PRTG server using a FortiGate firewall.

A while back, the Paessler blog published posts describing how to use a reverse proxy to load off utilization from a PRTG server. One of the posts covered general information of how to do it, while the other described how to do it with a KEMP LoadMaster. Here I'll explain how to do it with FortiGate firewalls.

Before starting, please read the following disclaimer, as this is about a sensitive part of your security.

Please note: This is a guest article. I have carefully compiled this information and it is provided to the best of  my knowledge. As the solution is not part of PRTG itself, it is not officially supported by Paessler or PRTG Technical Support. Yet, we wanted to share it with you as it might be of interest for many PRTG users.

You must also be aware that if you configure any of the parts incorrectly, you may leave yourself open to an intruder gaining access to anything configured within PRTG. This includes User ID's, passwords, IP names, etc. In other words: no warranties are expressed or implied. Paessler, its employees or partners cannot be held liable for any damages that you may incur as a result of employing a Reverse Proxy.

Fortinet's documentation is available from their website: (http://docs.fortinet.com). There's also a handbook about FortiGate server loadbalancing: http://docs.fortinet.com/d/fortigate-server-load-balancing-56

Important: Only FortiGate FortiOS 5.4, 5.6 and above support TLS 1.2 in the load balancing feature. FortiOS 5.2, 5.0, 4.3 and lower only support TLS 1.1 and TLS 1.0. TLS 1.2 is strongly recommended.

1. Add a virtual server to accept the traffic to be load balanced

Go to Policy & Objects > Virtual Servers and add a virtual server:

FortiGate_LoadBalancing_VirtualServer_PRTG_01-1

Create a new virtual server, select HTTPS as the "Type", enter the external IP address and TCP port, and select the certificate. The certificate has to be loaded in the FortiGate's certificate store (Go to System > Certificates).

Create a new Real Server, and enter the internal IP address and TCP port.

2. Configure additional FortiGate hardening

Go to the CLI of the FortiGate device using SSH, or use the Web interface's CLI console widget. 

FortiGate_LoadBalancing_VirtualServer_PRTG_02-1

There, enter the following:

config firewall vip
edit vs_PRTG-webserver01 <-- Name of the chosen virtual server
set ssl-max-version tls-1.2 <-- Recommendation is to only allow TLS 1.2
set ssl-min-version tls-1.2 <-- Recommendation is to only allow TLS 1.2
set ssl-server-algorithm custom <-- Recommendation to harden ciphers
config ssl-server-cipher-suites
edit 1
set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
next
edit 2
set cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
next
end
set ssl-dh-bits 2048 <-- Recommendation to use minimum of 2048 bit for DH*
ssl-client-renegotiation secure <-- Recommendation to increase client renegotiation
ssl-client-fallback enable <-- Recommendation to enable downgrade attack prevention (TLS_FALLBACK_SCSV, RFC 7507 https://tools.ietf.org/html/rfc7507)
end

 

*Note: Only FortiGate models with CP9 ASIC processors support 3072/4096 bit DH (Diffie-Hellman) keys in the hardware; other models have to use the FortiGate CPU. FortiGate models with CP8 ASIC processors support up to 2048 bit DH keys in the hardware. For more information about this, go here: 

https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-load-balancing/ldb-ssl-tls-diffie.htm

From FortiOS5.6 and above, FortiGate offers HSTS, which should be used to enforce HTTPS and prevent MitM-Attacks. HSTS can be activated as follows:

set ssl-hsts enable
set ssl-hsts-age 31536000
set ssl-hsts-include-subdomains enable 

For more information about load balancing FortiGate devices, take a look at their documentation:

https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-load-balancing/ldb-ssl-tls-version.htm

3. Check the Configuration

Check the configuration again as follows: 

config firewall vip
edit vs_PRTG-webserver01
FortiGate1500D-HA01 (vs_PRTG-webserver01) # get
name : vs_PRTG-webserver01
id : 0
uuid : 123456ab-cdef-1234-4567-1234567890ab
comment : virtual server PRTG webserver
type : server-load-balance
src-filter :
extip : 192.168.0.1
extintf : WAN (wan1)
arp-reply : enable
server-type : https
nat-source-vip : disable
gratuitous-arp-interval: 0
srcintf-filter :
http-ip-header : disable
monitor :
color : 0
ldb-method : static
persistence : none
extport : 443
realservers:
== [ 1 ]
id: 1 ip: 172.30.0.171 port: 80 status: active holddown-interval: 300 max-connections: 0
http-multiplex : disable
ssl-mode : half
ssl-certificate : trusted-certificate-loaded-in-certificate-store
ssl-dh-bits : 2048
ssl-algorithm : custom
ssl-server-cipher-suites: TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
ssl-server-algorithm: client
ssl-pfs : allow
ssl-min-version : tls-1.2
ssl-max-version : tls-1.2
ssl-server-min-version: client
ssl-server-max-version: client
ssl-send-empty-frags: enable
ssl-client-fallback : enable
ssl-client-renegotiation: secure
ssl-client-session-state-type: both
ssl-client-session-state-timeout: 30
ssl-client-session-state-max: 1000
ssl-server-session-state-type: both
ssl-server-session-state-timeout: 60
ssl-server-session-state-max: 100
max-embryonic-connections: 1000
 

4. Add a WAN1 with the Virtual Server.

Go to Policy & Objects > IPv4 Policy and add a WAN1 to the internal security policy that includes the virtual server.

In this policy, you can also apply UTM profiles (like Anti-Virus, Intrusion-Prevention, Application-Control, etc.) to the load-balanced sessions.

config firewall policy
edit 0 <-- uses next free policy-id
set srcintf wan1
set srcaddr all
set dstintf internal
set dstaddr vs_PRTG-webserver01
set action accept
set schedule always
set service HTTP <-- service-port of real-server, not virtual server set nat enable <-- only if necessary in your network setup set utm-status enable set profile-protocol-options default set av-profile scan set ips-profile high_security end
 

5. Test the Configuration

To check if everything worked, you can use different public tools to check your settings. One popular (and good) TLS-checking tool is the tool from SSLLabs: https://www.ssllabs.com/ssltest/analyze.html

In order to make it even more secure, the PRTG webservice can be limited to dedicated IP addresses or (dynamic) FQDNs by setting source-addresses ("set srcaddr") to an address object group in the policy. The best way to protect your PRTG is to use VPN (IPSec or SSLVPN), and use a Web Application Firewall.

If you want to read more from me in the future, watch out for posts on my new blog: https://how2itsec.blogspot.com/

 

Do you have FortiGate devices in your environment? Let us know if you try this out. And if you have any questions, please include them in the comments section below, and I will try answer them.