Fortinet black logo

Administration Guide

Security rating

Security rating

The security rating uses real-time monitoring to analyze your Security Fabric deployment, identify potential vulnerabilities, highlight best practices that can be used to improve the security and performance of your network, and calculate Security Fabric scores.

To view the security rating, go to Security Fabric > Security Rating on the root FortiGate.

The Security Rating page is separated into three major scorecards: Security Posture, Fabric Coverage, and Optimization, which provide an executive summary of the three largest areas of security focus in the Security Fabric.

The scorecards show an overall letter grade and breakdown of the performance in sub-categories. Clicking a scorecard drills down to a detailed report of itemized results and compliance recommendations. The point score represents the net score for all passed and failed items in that area. In the drill down report, hover the cursor over a score to view the calculation breakdown.

The report includes the security controls that were tested against, linking to specific FSBP or PCI compliance policies. Click the FSBP and PCI buttons to reference the corresponding standard. Users can search or filter the report results. If there is a failed check on the scorecard, there is a link in the Recommendations section that takes you to the page to resolve the problem.

Certain remediations marked with an EZ symbol represent configuration recommendations that support Easy Apply. In the panel on the right, in the Recommendations section, click Apply to apply the changes to resolve the failed security control.

The report table can be customized by adding more columns, such as Category, to view, filter, or sort the results based on scorecard categories. Click the gear icon to customize the table.

Users can also export the reports as CSV or JSON files by clicking the Export dropdown.

Tooltip

To exit the current view, click the icon beside the scorecard title to return to the summary view.

For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

Note

The following licensing options are available for security rating checks:

  • A base set of free checks
  • A licensed set that requires a FortiGuard Security Rating Service subscription

The base set can be run locally on any FortiGate and on all other devices in the Security Fabric. For a list of base and licensed security rating checks, see FortiGuard Security Rating Service.

Security rating notifications

Security rating notifications are shown on settings pages, which list configuration issues determined by the security rating report. You can open the recommendations to see which items need to be fixed. Notifications can be dismissed in the GUI. Dismissed issues are unique for each administrator. Hashes for dismissed notifications are saved in local storage. If a user clears the local storage, all issues will show up again as not dismissed.

Notification locations

On the System > Settings page, there is a Security Rating Issues section in the right-side gutter. To dismiss a notification, hover over the issue and click the X beside it. To view dismissed notifications, enable Show Dismissed.

On the Network > Interfaces page, there is a Security Rating Issues section in the table footer. Click Security Rating Issues to view the list of issues. To dismiss a notification, click the X beside it. To view dismissed notifications, click Show Dismissed.

Notification pop-ups

When you click a security rating notification, a pop-up appears and the related setting is highlighted in the GUI. The pop-up contains a description of the problem and a timestamp of when the issue was found.

Once an issue is resolved, the notification disappears after the next security rating report runs.

Security rating check scheduling

Security rating checks by default are scheduled to run automatically every four hours.

To disable automatic security checks using the CLI:
config system global
    security-rating-run-on-schedule disable
end
To manually run a report using the CLI:
# diagnose report-runner trigger

Logging the security rating

The results of past security checks are available on the Log & Report > System Events page. Click the Security Rating Events card to see the detailed log.

An event filter subtype can be created for the Security Fabric rating so event logs are created on the root FortiGate that summarize the results and show detailed information for the individual tests.

To configure security rating logging using the CLI:
config log eventfilter
    set security-rating enable
end

Multi VDOM mode

In multi VDOM mode, security rating reports can be generated in the Global VDOM for all of the VDOMs on the device. Administrators with read/write access can run the security rating report in the Global VDOM. Administrators with read-only access can only view the report.

On the report scorecards, the Scope column shows the VDOMs that the check was run on. On checks that support Easy Apply, the remediation can be run on all of the associated VDOMs.

Global scope:

VDOM scope:

The security rating event log is available on the root VDOM.

Security rating

Security rating

The security rating uses real-time monitoring to analyze your Security Fabric deployment, identify potential vulnerabilities, highlight best practices that can be used to improve the security and performance of your network, and calculate Security Fabric scores.

To view the security rating, go to Security Fabric > Security Rating on the root FortiGate.

The Security Rating page is separated into three major scorecards: Security Posture, Fabric Coverage, and Optimization, which provide an executive summary of the three largest areas of security focus in the Security Fabric.

The scorecards show an overall letter grade and breakdown of the performance in sub-categories. Clicking a scorecard drills down to a detailed report of itemized results and compliance recommendations. The point score represents the net score for all passed and failed items in that area. In the drill down report, hover the cursor over a score to view the calculation breakdown.

The report includes the security controls that were tested against, linking to specific FSBP or PCI compliance policies. Click the FSBP and PCI buttons to reference the corresponding standard. Users can search or filter the report results. If there is a failed check on the scorecard, there is a link in the Recommendations section that takes you to the page to resolve the problem.

Certain remediations marked with an EZ symbol represent configuration recommendations that support Easy Apply. In the panel on the right, in the Recommendations section, click Apply to apply the changes to resolve the failed security control.

The report table can be customized by adding more columns, such as Category, to view, filter, or sort the results based on scorecard categories. Click the gear icon to customize the table.

Users can also export the reports as CSV or JSON files by clicking the Export dropdown.

Tooltip

To exit the current view, click the icon beside the scorecard title to return to the summary view.

For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

Note

The following licensing options are available for security rating checks:

  • A base set of free checks
  • A licensed set that requires a FortiGuard Security Rating Service subscription

The base set can be run locally on any FortiGate and on all other devices in the Security Fabric. For a list of base and licensed security rating checks, see FortiGuard Security Rating Service.

Security rating notifications

Security rating notifications are shown on settings pages, which list configuration issues determined by the security rating report. You can open the recommendations to see which items need to be fixed. Notifications can be dismissed in the GUI. Dismissed issues are unique for each administrator. Hashes for dismissed notifications are saved in local storage. If a user clears the local storage, all issues will show up again as not dismissed.

Notification locations

On the System > Settings page, there is a Security Rating Issues section in the right-side gutter. To dismiss a notification, hover over the issue and click the X beside it. To view dismissed notifications, enable Show Dismissed.

On the Network > Interfaces page, there is a Security Rating Issues section in the table footer. Click Security Rating Issues to view the list of issues. To dismiss a notification, click the X beside it. To view dismissed notifications, click Show Dismissed.

Notification pop-ups

When you click a security rating notification, a pop-up appears and the related setting is highlighted in the GUI. The pop-up contains a description of the problem and a timestamp of when the issue was found.

Once an issue is resolved, the notification disappears after the next security rating report runs.

Security rating check scheduling

Security rating checks by default are scheduled to run automatically every four hours.

To disable automatic security checks using the CLI:
config system global
    security-rating-run-on-schedule disable
end
To manually run a report using the CLI:
# diagnose report-runner trigger

Logging the security rating

The results of past security checks are available on the Log & Report > System Events page. Click the Security Rating Events card to see the detailed log.

An event filter subtype can be created for the Security Fabric rating so event logs are created on the root FortiGate that summarize the results and show detailed information for the individual tests.

To configure security rating logging using the CLI:
config log eventfilter
    set security-rating enable
end

Multi VDOM mode

In multi VDOM mode, security rating reports can be generated in the Global VDOM for all of the VDOMs on the device. Administrators with read/write access can run the security rating report in the Global VDOM. Administrators with read-only access can only view the report.

On the report scorecards, the Scope column shows the VDOMs that the check was run on. On checks that support Easy Apply, the remediation can be run on all of the associated VDOMs.

Global scope:

VDOM scope:

The security rating event log is available on the root VDOM.