====== HUB Configuration====== *For the Fortigate ==== Configuration strategy goals==== **Separation of Power approach:** To help divide responsibilities and access to enhance security and minimize the potential for unauthorized access or control. ==== Fortigate admin profile controls==== * **Scope-Based Access:** Admin access can be global or on VDOM basis. Global scope admins have access to the base device and all VDOMs by default. Per-VDOM access allows tighter control for specific ships/tenants. * **Separate Config Access:** Control access are granted independently for network interface configuration (Ethernet, VLANs, inter-VDOM links) and VPN (IPSec) configurations. * **Restrict Sensitive Options:** Can be blocked access to FortiView (metadata) and packet capture (raw packets) for admins who do not require these features. ==== Tasks Requiring Hub-Side Global Admin Access ==== Assign global admin access only for tasks where it is essential, minimizing the risk of unintended or unauthorized actions using the principle of least privilege. == Per-Ship Tasks == These tasks are needed for each ship added to the system: * [Hub FGT] Creating VDOMs: Set up virtual domains for new ships. * [Hub FGT] Creating inter-VDOM links: Enable communication between ship-specific VDOMs and the hub. * [Hub FMG] Assigning ship + hub VDOMs to an ADOM in FortiManager: Associate the ship and hub VDOMs with a specific Administrative Domain (ADOM) for configuration and management. * [Hub FAZ] Creating hub logging ADOM: Set up an Administrative Domain for managing logs at the hub. * [Hub FAZ] Assigning devices to appropriate hub logging ADOM: Link the devices to the logging ADOM for centralized log management. == One-Time Commissioning Tasks == These tasks are performed once during the initial setup: * [Hub FGT] Assigning physical interfaces to VDOMs: Map physical network ports to their respective VDOMs. * [Hub FGT] Configuring Hub 40gate -> Hub host OI summary routing: Set up routing for traffic between the hub FortiGate and the host Operational Interface (OI). * [Hub FGT] Configuring HA: Enable HA for redundancy and reliability. * [Hub FGT] Configuring system DNS: Set up Domain Name System settings for the hub. * [Hub FGT] Configuring system NTP: Configure Network Time Protocol settings for synchronized timekeeping. * [Hub FGT] Configuring system FortiManager connection: Establish a connection between the hub FortiGate and FortiManager for centralized management. * [Hub FGT] Configuring system (hub) FortiAnalyzer connection: Link the hub FortiGate to FortiAnalyzer for log and analytics management. ==== Building the Admin Profile System ==== * **Identify Sensitive Options to Restrict:** Explicitly restrict the sensitive options including FortiView (metadata view), packet capture (raw packet view), and VPN configuration (IPSec management). These options explicitly lock-out an admin's options to inappropriately egress "inside-the-veil" IPSec sessions. * **Configure Certificate Management:** Transition certificate management to a VDOM-level scope to ensure certificate private keys are isolated and protected from global admin access. * **Leverage FortiManager for Configuration Management:** Utilize the FortiManager auto-config process to create regular backup configurations, to test configurations and to implement configuration changes while maintaining a version-controlled audit trail. * **Define Separate Admin Profiles:** Create role-specific admin profiles with clear separation of duties. Profiles for hub admins, providing connectivity to per-ship VDOMs and seeing IPSec ciphertext, versus ship admins with ability to see inside the ship VDOMs, on a per-ship basis.