Differences

This shows you the differences between two versions of the page.

--- public:hub_configuration [2024/12/05 13:57] – created sprabhu
+++ public:hub_configuration [2024/12/11 18:11] (current) – rhudak
@@ Line 1: / Line 1: @@
 ====== HUB Configuration======
+<color #ed1c24>*For the Fortigate</color>
 ==== Configuration strategy goals====
-  * Separation of Power approach: To help divide responsibilities and access to enhance security and minimize the potential for unauthorized access or control.
+**Separation of Power approach:** To help divide responsibilities and access to enhance security and minimize the potential for unauthorized access or control.
 ==== Fortigate admin profile controls====
-  * Scope-Based Access: Admin access can be global or on VDOM basis. Global scope admins have access to the base device and all VDOMs by default. Per-VDOM access allows tighter control for specific ships/tenants.
+  * **Scope-Based Access:** Admin access can be global or on VDOM basis. Global scope admins have access to the base device and all VDOMs by default. Per-VDOM access allows tighter control for specific ships/tenants.
-  * Separate Config Access: Control access are granted independently for network interface configuration (Ethernet, VLANs, inter-VDOM links) and VPN (IPSec) configurations.
+  * **Separate Config Access:** Control access are granted independently for network interface configuration (Ethernet, VLANs, inter-VDOM links) and VPN (IPSec) configurations.
-  * Restrict Sensitive Options: Can be blocked access to FortiView (metadata) and packet capture (raw packets) for admins who do not require these features.
+  * **Restrict Sensitive Options:** Can be blocked access to FortiView (metadata) and packet capture (raw packets) for admins who do not require these features.
@@ Line 35: / Line 36: @@
 ==== Building the Admin Profile System ====
-  * Identify Sensitive Options to Restrict: Explicitly restrict the sensitive options including FortiView (metadata view), packet capture (raw packet view), and VPN configuration (IPSec management). These options explicitly lock-out an admin's options to inappropriately egress "inside-the-veil" IPSec sessions.
+  * **Identify Sensitive Options to Restrict:** Explicitly restrict the sensitive options including FortiView (metadata view), packet capture (raw packet view), and VPN configuration (IPSec management). These options explicitly lock-out an admin's options to inappropriately egress "inside-the-veil" IPSec sessions.
-  * Configure Certificate Management: Transition certificate management to a VDOM-level scope to ensure certificate private keys are isolated and protected from global admin access.
+  * **Configure Certificate Management:** Transition certificate management to a VDOM-level scope to ensure certificate private keys are isolated and protected from global admin access.
-  * Leverage FortiManager for Configuration Management: Utilize the FortiManager auto-config process to create regular backup configurations, to test configurations and to implement configuration changes while maintaining a version-controlled audit trail.
+  * **Leverage FortiManager for Configuration Management:** Utilize the FortiManager auto-config process to create regular backup configurations, to test configurations and to implement configuration changes while maintaining a version-controlled audit trail.
-  * Define Separate Admin Profiles: Create role-specific admin profiles with clear separation of duties. Profiles for hub admins, providing connectivity to per-ship VDOMs and seeing IPSec ciphertext, versus ship admins with ability to see inside the ship VDOMs, on a per-ship basis.
+  * **Define Separate Admin Profiles:** Create role-specific admin profiles with clear separation of duties. Profiles for hub admins, providing connectivity to per-ship VDOMs and seeing IPSec ciphertext, versus ship admins with ability to see inside the ship VDOMs, on a per-ship basis.