This article describes Fortinet Security Best Practice (FSBP) ND06.1, which recommends that ‘No third party router or NAT devices should be detected in the network’.
Scope
FortiGate.
Solution
Generally speaking, the recommendations made within the FSBP assume that the administrator is utilizing an all-Fortinet deployment (i.e. FortiGates, FortiSwitches, FortiAP) so that they can leverage the benefits of the Fortinet Security Fabric (i.e. increased network visibility and centralized management).
FSBP ND06.1 assumes that replacing a third-party router/NAT device (aka Layer 3 network devices) with a FortiGate is an improvement for the network, as it would allow the administrator to expand the Security Fabric and thus the scope of network visibility. Similarly, the presence of an unexpected router/NAT device (such as an end-user connecting a personal router/wireless access-point to the downstream network) could be a potential security concern that would be flagged as a failure for FSBP ND06.1.
Side note: the Device Detection/Identification feature on Fortinet products operates at a Layer 2 level and creates device entries based on MAC address. This means that any devices that are separated from the FortiGate by a Layer 3 router/NAT device would be difficult or even impossible for the FortiGate to detect and identify properly (leading to reduced network visibility for the administrator).
However, it is not always feasible (or even necessary) to replace third-party devices with Fortinet equivalents. There are many situations where a third-party router/NAT device needs to be used, such as pre-existing/legacy infrastructure that cannot be upgraded, or when relying upon connections to equipment owned and operated by a different team or company (e.g. an ISP router or a connection within a colocation datacenter).
Consider the following recommendations regarding FSBP ND06.1:
- ND06.1 assesses the list of assets found with Device Detection/Identification. Consider disabling device identification on network interfaces that are known to connect to third-party infrastructure (such as interfaces that are marked with the WAN role) so that they do not factor into ND06.1.
- Additionally, keep in mind that ND06.1 is a recommendation and not a hard security rule. It is acceptable to not meet/pass this recommendation as long as there is a clear understanding about the potential downsides (e.g. reduced network visibility from the FortiGate for anything behind a third-party router/NAT device).