Firewall Manager access (IT MSP)

~~Protect~~An ~~your~~IT ~~existing~~managed ~~Fortigate~~services orprovider ~~Palo~~maintained ~~investments~~multiple Fortinet firewalls on behalf of customers, often responding to urgent service desk requests requiring 24/7 access. These firewalls were deployed across various locations and managed by multiple members of the network team.

Due to security concerns, access to manage these firewalls was restricted to several office/static IP addresses deemed trustworthy. However, remote access remained necessary, including for select customers who self-managed their firewall/rules. To facilitate remote firewall management, a VPN was exposed to the Internet. This approach introduced unnecessary attack surface and another Internet-exposed asset/entry point. It also presented challenges related to authorization as the VPN was shared with MSP staff and select customers.

Objective:
Enable remote firewall management from ~~direct~~trusted ~~internet~~IP ~~exposure~~addresses byon ~~introducing~~the ~~Knocknoc.~~Internet, linked to an authorized Entra group login, eliminating the need for an Internet-exposed VPN nor requiring on-premise network access.

~~Remote~~Outcome:
Firewall management ~~and~~users ~~administration~~seamlessly ~~interfaces,~~logged ~~VPN~~in ~~services/ports or any service offered can be protected, requiring a centralised login prior to presenting network exposure. A quick way to support remote management without~~using the ~~Internet~~Entra ~~exposure~~external ~~risk,~~client ~~removes~~connector. ~~the threat of zero-days as it is simply invisible prior to logging in to Knocknoc, which opens access just in time.~~

This ~~can~~solution beaccommodated ~~achieved~~both inMSP ~~multiple~~staff ~~ways~~and ~~through~~external ~~active~~customers, orallowing ~~passive firewall orchestration , effectively adding network application whitelisting only after a successful authorized user~~secure login to the ~~network~~appropriate ~~edge.~~firewall for management tasks. All access was logged, and multi-factor authentication was implemented without adding complexity or making significant changes to the existing Fortinet configurations.

Technical how:

In this example half the Fortinet firewalls were 'actively' managed by Knocknoc, with the other half 'passively' orchestrated. This allowed authorized firewall managers to securely manage the firewall devices when required, but presented zero attack surface to the broader Internet, and did not require a VPN whatsoever allowing that device to be deprecated.

Shown below is the ~~direct-~~Active orchestration ~~model, where Knocknoc adds the trusted/authenticated IP address to the relevant policy on the Fortinet, exposing the VPN services to an IP address only after they have successfully authenticated.~~model:

~~Alternatively~~The another ~~agentless~~devices ~~deployment can be established using~~utilized the ~~AllowList~~Passive ~~feature:~~mode:

This can be combined in a passive-allowlist model along with an API call which updates the policies (causing a live poll), giving you the best of both worlds - low privilege API access along with a polled allowlist.

~~This can be used to remove the attack surface of VPN services/protocols prior to centralized login or prevent asset exposure to zero-day attacks as they simply inaccessible.~~

~~If you need to urgently reduce direct exposure of your Fortigate, Palo or other appliances, please~~ ~~talk to us~~.