Fortinet black logo

Cookbook

Security rating

Copy Link
Copy Doc ID 4e2e9371-e0d6-11ea-96b9-00505692583a:292634
Download PDF

Security rating

The security rating analyzes your Security Fabric deployment, identifies potential vulnerabilities, highlights best practices that can be used to improve the security and performance of your network, and calculates Security Fabric scores.

To view the security rating and run a security rating check, go to Security Fabric > Security Rating on the root FortiGate. Click Run Now to run a security rating check. Checks can also be run automatically every four hours.

The security rating check uses real-time monitoring to analyze the network based on the current network configuration. When the check is complete, the results table shows a list of the checks that where performed, including:

  • The name and a description of the check.
  • The device or devices that the check was performed on.
  • The impact of the check on the overall security score.
  • The check results—whether it passed or failed.

The list can be searched, filtered to show all results or only failed checks, and exported to a CSV or JSON file. Clicking a color or legend name in the donut charts will also filter the results.

Hovering the cursor over a check result score will show the breakdown of how that score was calculated.

Selecting a specific check from the list shows details about that check in the Security Control Details pane, including recommendations and compliance information. For failed checks, this includes a description of what remediation actions could be taken. For recommendations that support Easy Apply, the device will have an EZ symbol next to its name, and the remediation action can be taken automatically by clicking Apply under the recommendations. See Comprehensive report extensions for more information about security rating reports.

For more information about security ratings, including details about each check that is performed, go to Security Best Practices & Security Rating Feature.

Note

Security rating licenses are required to run security rating checks across all the devices in the Security Fabric. It also allows ratings scores to be submitted to and received from FortiGuard for ranking networks by percentile.

See https://www.fortinet.com/support/support-services/fortiguard-security-subscriptions/security-rating.html for information.

Automatic security rating checks

Security rating checks can be scheduled to run automatically every four hours.

To enable automatic security checks using the CLI:
config system global
    security-rating-run-on-schedule {enable | disable}
end

Opt out of ranking

Security rating scores can be submitted to FortiGuard for comparison with other organizations' scores, allowing a percentile score to be calculated. If you opt out of submitting your score, only an absolute score will be available.

To opt out of submitting the score using the CLI:
config system global
    set security-rating-result-submission {enable | disable}
end

Logging the security rating

The results of past security checks are available in Log & Report > Events and selecting Security Rating Events from the event type dropdown list.

An event filter subtype can be created for the Security Fabric rating so that event logs are created on the root FortiGate that summarize the results of a check, and show detailed information for the individual tests.

To configure security rating logging using the CLI:
config log eventfilter
    set security-rating enable
end

Security rating

The security rating analyzes your Security Fabric deployment, identifies potential vulnerabilities, highlights best practices that can be used to improve the security and performance of your network, and calculates Security Fabric scores.

To view the security rating and run a security rating check, go to Security Fabric > Security Rating on the root FortiGate. Click Run Now to run a security rating check. Checks can also be run automatically every four hours.

The security rating check uses real-time monitoring to analyze the network based on the current network configuration. When the check is complete, the results table shows a list of the checks that where performed, including:

  • The name and a description of the check.
  • The device or devices that the check was performed on.
  • The impact of the check on the overall security score.
  • The check results—whether it passed or failed.

The list can be searched, filtered to show all results or only failed checks, and exported to a CSV or JSON file. Clicking a color or legend name in the donut charts will also filter the results.

Hovering the cursor over a check result score will show the breakdown of how that score was calculated.

Selecting a specific check from the list shows details about that check in the Security Control Details pane, including recommendations and compliance information. For failed checks, this includes a description of what remediation actions could be taken. For recommendations that support Easy Apply, the device will have an EZ symbol next to its name, and the remediation action can be taken automatically by clicking Apply under the recommendations. See Comprehensive report extensions for more information about security rating reports.

For more information about security ratings, including details about each check that is performed, go to Security Best Practices & Security Rating Feature.

Note

Security rating licenses are required to run security rating checks across all the devices in the Security Fabric. It also allows ratings scores to be submitted to and received from FortiGuard for ranking networks by percentile.

See https://www.fortinet.com/support/support-services/fortiguard-security-subscriptions/security-rating.html for information.

Automatic security rating checks

Security rating checks can be scheduled to run automatically every four hours.

To enable automatic security checks using the CLI:
config system global
    security-rating-run-on-schedule {enable | disable}
end

Opt out of ranking

Security rating scores can be submitted to FortiGuard for comparison with other organizations' scores, allowing a percentile score to be calculated. If you opt out of submitting your score, only an absolute score will be available.

To opt out of submitting the score using the CLI:
config system global
    set security-rating-result-submission {enable | disable}
end

Logging the security rating

The results of past security checks are available in Log & Report > Events and selecting Security Rating Events from the event type dropdown list.

An event filter subtype can be created for the Security Fabric rating so that event logs are created on the root FortiGate that summarize the results of a check, and show detailed information for the individual tests.

To configure security rating logging using the CLI:
config log eventfilter
    set security-rating enable
end