Fortinet black logo

Administration Guide

Security rating

Security rating

The security rating uses real-time monitoring to analyze your Security Fabric deployment, identify potential vulnerabilities, highlight best practices that can be used to improve the security and performance of your network, and calculate Security Fabric scores.

To view the security rating, go to Security Fabric > Security Rating on the root FortiGate.

The Security Rating page is separated into three major scorecards: Security Posture, Fabric Coverage, and Optimization, which provide an executive summary of the three largest areas of security focus in the Security Fabric.

The scorecards show an overall letter grade and breakdown of the performance in sub-categories. Clicking a scorecard drills down to a detailed report of itemized results and compliance recommendations. The point score represents the net score for all passed and failed items in that area. In the drill down report, hover the cursor over a score to view the calculation breakdown.

The report includes the security controls that were tested against, linking to specific FSBP or PCI compliance policies. Click the FSBP and PCI buttons to reference the corresponding standard. Users can search or filter the report results.

Certain remediations marked with an EZ symbol represent configuration recommendations that support Easy Apply. In the panel on the right, in the Recommendations section, click Apply to apply the changes to resolve the failed security control.

The report table can be customized by adding more columns, such as Category, to view, filter, or sort the results based on scorecard categories. Click the gear icon to customize the table.

Users can also export the reports as CSV or JSON files by clicking the Export dropdown.

Tooltip

To exit the current view, click the icon beside the scorecard title to return to the summary view.

For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

Note

Security rating licenses are required to run security rating checks across all the devices in the Security Fabric. It also allows ratings scores to be submitted to and received from FortiGuard for ranking networks by percentile.

See https://www.fortinet.com/support/support-services/fortiguard-security-subscriptions/security-rating.html for information.

Security rating check scheduling

Security rating checks by default are scheduled to run automatically every four hours.

To disable automatic security checks using the CLI:
config system global
    security-rating-run-on-schedule disable
end
To manually run a report using the CLI:
# diagnose report-runner trigger

Opt out of ranking

Security rating scores can be submitted to FortiGuard for comparison with other organizations' scores, allowing a percentile score to be calculated. If you opt out of submitting your score, only an absolute score will be available.

To opt out of submitting the score using the CLI:
config system global
    set security-rating-result-submission {enable | disable}
end

Logging the security rating

The results of past security checks is available in Log & Report > Events by selecting Security Rating Events from the event type dropdown list.

An event filter subtype can be created for the Security Fabric rating so that event logs are created on the root FortiGate that summarize the results of a check, and show detailed information for the individual tests.

To configure security rating logging using the CLI:
config log eventfilter
    set security-rating enable
end

Multi VDOM mode

In multi VDOM mode, security rating reports can be generated in the Global VDOM for all of the VDOMs on the device. Administrators with read/write access can run the security rating report in the Global VDOM. Administrators with read-only access can only view the report.

On the report scorecards, the Scope column shows the VDOM or VDOMs that the check was run on. On checks that support Easy Apply, the remediation can be run on all of the associated VDOMs.

The security rating event log is available on the root VDOM.

Security rating

The security rating uses real-time monitoring to analyze your Security Fabric deployment, identify potential vulnerabilities, highlight best practices that can be used to improve the security and performance of your network, and calculate Security Fabric scores.

To view the security rating, go to Security Fabric > Security Rating on the root FortiGate.

The Security Rating page is separated into three major scorecards: Security Posture, Fabric Coverage, and Optimization, which provide an executive summary of the three largest areas of security focus in the Security Fabric.

The scorecards show an overall letter grade and breakdown of the performance in sub-categories. Clicking a scorecard drills down to a detailed report of itemized results and compliance recommendations. The point score represents the net score for all passed and failed items in that area. In the drill down report, hover the cursor over a score to view the calculation breakdown.

The report includes the security controls that were tested against, linking to specific FSBP or PCI compliance policies. Click the FSBP and PCI buttons to reference the corresponding standard. Users can search or filter the report results.

Certain remediations marked with an EZ symbol represent configuration recommendations that support Easy Apply. In the panel on the right, in the Recommendations section, click Apply to apply the changes to resolve the failed security control.

The report table can be customized by adding more columns, such as Category, to view, filter, or sort the results based on scorecard categories. Click the gear icon to customize the table.

Users can also export the reports as CSV or JSON files by clicking the Export dropdown.

Tooltip

To exit the current view, click the icon beside the scorecard title to return to the summary view.

For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

Note

Security rating licenses are required to run security rating checks across all the devices in the Security Fabric. It also allows ratings scores to be submitted to and received from FortiGuard for ranking networks by percentile.

See https://www.fortinet.com/support/support-services/fortiguard-security-subscriptions/security-rating.html for information.

Security rating check scheduling

Security rating checks by default are scheduled to run automatically every four hours.

To disable automatic security checks using the CLI:
config system global
    security-rating-run-on-schedule disable
end
To manually run a report using the CLI:
# diagnose report-runner trigger

Opt out of ranking

Security rating scores can be submitted to FortiGuard for comparison with other organizations' scores, allowing a percentile score to be calculated. If you opt out of submitting your score, only an absolute score will be available.

To opt out of submitting the score using the CLI:
config system global
    set security-rating-result-submission {enable | disable}
end

Logging the security rating

The results of past security checks is available in Log & Report > Events by selecting Security Rating Events from the event type dropdown list.

An event filter subtype can be created for the Security Fabric rating so that event logs are created on the root FortiGate that summarize the results of a check, and show detailed information for the individual tests.

To configure security rating logging using the CLI:
config log eventfilter
    set security-rating enable
end

Multi VDOM mode

In multi VDOM mode, security rating reports can be generated in the Global VDOM for all of the VDOMs on the device. Administrators with read/write access can run the security rating report in the Global VDOM. Administrators with read-only access can only view the report.

On the report scorecards, the Scope column shows the VDOM or VDOMs that the check was run on. On checks that support Easy Apply, the remediation can be run on all of the associated VDOMs.

The security rating event log is available on the root VDOM.