Fortinet black logo

Best Practices

Home FortiGate / FortiOS 7.2.0 Best Practices

Security rating

7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
6.0.0
Copy Link
Copy Doc ID 3b0843e9-aada-11ec-9fd1-fa163e15d75b:218775
Download PDF

Security rating

Security audit checks are updated to match evolving vulnerability exploits and attacks. The security fabric rating service helps the security and network teams keep up with changing compliance and regulatory standards by identifying opportunities to improve the system configuration and automate processes. The security rating applies to all devices in your Security Fabric, and uses real-time monitoring to analyze your Security Fabric deployment, identify potential vulnerabilities, highlight best practices that can be used to improve the security and performance of your network, and calculate Security Fabric scores.

The security rating gives grades in the following sections:

  • Fabric Security Hardening

  • Audit Logging & Monitoring

  • Threat & Vulnerability Management

  • Network Design & Policies

  • Endpoint Management

  • Firmware & Subscriptions

  • Performance Optimization

The rating also adds consideration for industry standards, such as NIST, PCI DSS compliance, GDPR, and CIS.

Enabling the Security Fabric and rating service allows you to easily identify key deficiencies, take action based on automated recommendations, secure your entire fabric, and passively monitor based on your Security Fabric scores.

The following table lists the security rating tests that are included with FortiOS and do not require a license. The table is grouped by the Score Care category (for example, Security Posture, Fabric Coverage and Optimization) and sorted by the FSBP ID.

Score Card Category

FSBP ID

Name

Description

Category
Security Posture AL02.1 Centralized Logging & Reporting Logging and reporting should be done in a centralized place. Audit Logging & Monitoring
EM01.1 Endpoint Registration Interfaces which are classified as "LAN" and are used by a policy should have Security Fabric Connection enabled. Endpoint Management
EM01.2 FortiClient Vulnerabilities All registered FortiClient devices should have no critical vulnerabilities. Endpoint Management
ND02.4 FortiAP UTM SSID Compatibility (blank) Network Design & Policies
ND04.1 LAN Segment Servers Servers should be placed behind interfaces classified as "DMZ". Network Design & Policies
ND05.2 VLAN Management Non-FortiLink interfaces should not have multiple VLANs configured on them. Network Design & Policies
ND07.1 Device Discovery Interfaces which are classified as "LAN" or "DMZ" and are used by a policy should have device detection enabled. Network Design & Policies
ND08.1 Interface Classification All interfaces used by a policy should be classified as either 'LAN', 'WAN', or 'DMZ'. Network Design & Policies
ND09.1 Detect Botnet Connections Policies should block or monitor outgoing connections to botnet sites. Network Design & Policies
ND10.1 Explicit Interface Policies Polices that allow traffic should not be using the "any" interface. Network Design & Policies
SH01.1 Unsecure Protocol - Telnet Interfaces currently in use should not allow TELNET administrative access. Fabric Security Hardening
SH01.11 Unsecure Protocol - TFTP (blank) Fabric Security Hardening
SH01.2 Unsecure Protocol - HTTP Interfaces currently in use should not allow HTTP administrative access. Fabric Security Hardening
SH03.1 Valid HTTPS Certificate - Administrative GUI The administrative GUI should be using a valid and secure certificate. Fabric Security Hardening
SH04.1 Valid HTTPS Certificate - SSL-VPN SSL-VPN should be using a valid and secure certificate. Fabric Security Hardening
SH05.1 Admin Password Policy A password policy should be set up for system administrators. Fabric Security Hardening
SH09.7 LDAP Server Identity Check Verify that server-identity-check is enabled for LDAP Servers to ensure certificate validation takes place. While this is the default option in a clean install, it may not be set if upgrading from older releases. Fabric Security Hardening
SH09.8 Disable Username Sensitivity Check Verify that username case sensitivity is disabled for remote LDAP users. This option is provided only for legacy compatibility reasons. If enabled, it can lead to the bypass of two-factor authentication. Fabric Security Hardening
SH20.1 DNS Helper (blank) Fabric Security Hardening
Fabric Coverage AL02.2 FortiAnalyzer All FortiGates in the Security Fabric can connect to and authenticate with their configured FortiAnalyzer. Audit Logging & Monitoring
FS01.1 Compatible Firmware All devices in the Security Fabric should have compatible firmware versions. Firmware & Subscriptions
FS01.2 FortiAP Firmware Versions All FortiAPs should be running the latest firmware. Firmware & Subscriptions
FS01.3 FortiSwitch Firmware Versions All FortiSwitches should be running the latest firmware. Firmware & Subscriptions
FS02.1 FortiCare Support Appropriate devices should be registered with FortiCare and have valid support coverage. Firmware & Subscriptions
FS02.10 Firmware & General Updates Firmware & General Updates subscription should be valid. Firmware & Subscriptions
FS02.11 Indicators of Compromise For compromised hosts support the IoC subscription should be valid. Firmware & Subscriptions
FS02.2 IPS IPS subscription should be valid. Firmware & Subscriptions
FS02.3 AntiVirus AntiVirus subscription should be valid. Firmware & Subscriptions
FS02.5 Web Filtering Web Filtering subscription should be valid. Firmware & Subscriptions
FS02.6 Anti-Spam Anti-Spam subscription should be valid. Firmware & Subscriptions
FS02.8 Industrial DB Industrial DB subscription should be valid. Firmware & Subscriptions
FS02.9 Outbreak Prevention Outbreak Prevention subscription should be valid. Firmware & Subscriptions
FS03.1 Security Rating Security Rating subscription should be valid. Firmware & Subscriptions
FS05.1 Activate FortiCloud Services (blank) Firmware & Subscriptions
ND01.1 Unauthorized FortiSwitches All discovered FortiSwitches should be authorized or disabled. Network Design & Policies
ND01.2 Unauthorized FortiAPs All discovered FortiAPs should be authorized or disabled. Network Design & Policies
ND06.1 Third Party Router & NAT Devices No third party router or NAT devices should be detected in the network. Network Design & Policies
TV01.1 Advanced Threat Protection Suspicious files should be submitted to FortiSandbox Appliance/FortiSandbox Cloud for inspection. Threat & Vulnerability Management
TV01.2 FortiSandbox All FortiGates in the Security Fabric can connect to their configured FortiSandbox. Threat & Vulnerability Management
Optimization ND03.1 Unused Policies All policies should be used. Network Design & Policies
PO01.10 Policy Inspection Mode Policies should not combine proxy and flow inspection modes. Performance Optimization
PO04.1 Managed Switch Capacity Exceeded on FortiGate Number of managed FortiSwitch should not exceed 80% of the FortiGate's maximum capacity (table size). We suggest upgrading (or adding more FortiGate if the model already has maximum table size) when the threshold is reached. Performance Optimization
PO04.2 Redundant FortiLinks Should have redundant FortiLink between FortiGate and FortiSwitch. We suggest adding FortiLink if there is only 1 FortiLink. Switches not directly connected to FGT are exempt. Performance Optimization
PO04.3 Enable MC-LAG Detect switch peer candidates that can form a tier-1 MC-LAG. Performance Optimization
PO04.4 Redundant ISL Should have redundant inter-switch links between FortiSwitches. Performance Optimization
PO04.5 Enable STP

Once the network topology is stable, enable STP on the FortiSwitch ports to avoid a switching loop.

 Performance Optimization
PO04.6 Lockdown LLDP Profile Edge ports should have LLDP profile locked down to avoid accidental growth in network topology. Performance Optimization

For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

Previous
Next

Security rating

Security audit checks are updated to match evolving vulnerability exploits and attacks. The security fabric rating service helps the security and network teams keep up with changing compliance and regulatory standards by identifying opportunities to improve the system configuration and automate processes. The security rating applies to all devices in your Security Fabric, and uses real-time monitoring to analyze your Security Fabric deployment, identify potential vulnerabilities, highlight best practices that can be used to improve the security and performance of your network, and calculate Security Fabric scores.

The security rating gives grades in the following sections:

  • Fabric Security Hardening

  • Audit Logging & Monitoring

  • Threat & Vulnerability Management

  • Network Design & Policies

  • Endpoint Management

  • Firmware & Subscriptions

  • Performance Optimization

The rating also adds consideration for industry standards, such as NIST, PCI DSS compliance, GDPR, and CIS.

Enabling the Security Fabric and rating service allows you to easily identify key deficiencies, take action based on automated recommendations, secure your entire fabric, and passively monitor based on your Security Fabric scores.

The following table lists the security rating tests that are included with FortiOS and do not require a license. The table is grouped by the Score Care category (for example, Security Posture, Fabric Coverage and Optimization) and sorted by the FSBP ID.

Score Card Category

FSBP ID

Name

Description

Category
Security Posture AL02.1 Centralized Logging & Reporting Logging and reporting should be done in a centralized place. Audit Logging & Monitoring
EM01.1 Endpoint Registration Interfaces which are classified as "LAN" and are used by a policy should have Security Fabric Connection enabled. Endpoint Management
EM01.2 FortiClient Vulnerabilities All registered FortiClient devices should have no critical vulnerabilities. Endpoint Management
ND02.4 FortiAP UTM SSID Compatibility (blank) Network Design & Policies
ND04.1 LAN Segment Servers Servers should be placed behind interfaces classified as "DMZ". Network Design & Policies
ND05.2 VLAN Management Non-FortiLink interfaces should not have multiple VLANs configured on them. Network Design & Policies
ND07.1 Device Discovery Interfaces which are classified as "LAN" or "DMZ" and are used by a policy should have device detection enabled. Network Design & Policies
ND08.1 Interface Classification All interfaces used by a policy should be classified as either 'LAN', 'WAN', or 'DMZ'. Network Design & Policies
ND09.1 Detect Botnet Connections Policies should block or monitor outgoing connections to botnet sites. Network Design & Policies
ND10.1 Explicit Interface Policies Polices that allow traffic should not be using the "any" interface. Network Design & Policies
SH01.1 Unsecure Protocol - Telnet Interfaces currently in use should not allow TELNET administrative access. Fabric Security Hardening
SH01.11 Unsecure Protocol - TFTP (blank) Fabric Security Hardening
SH01.2 Unsecure Protocol - HTTP Interfaces currently in use should not allow HTTP administrative access. Fabric Security Hardening
SH03.1 Valid HTTPS Certificate - Administrative GUI The administrative GUI should be using a valid and secure certificate. Fabric Security Hardening
SH04.1 Valid HTTPS Certificate - SSL-VPN SSL-VPN should be using a valid and secure certificate. Fabric Security Hardening
SH05.1 Admin Password Policy A password policy should be set up for system administrators. Fabric Security Hardening
SH09.7 LDAP Server Identity Check Verify that server-identity-check is enabled for LDAP Servers to ensure certificate validation takes place. While this is the default option in a clean install, it may not be set if upgrading from older releases. Fabric Security Hardening
SH09.8 Disable Username Sensitivity Check Verify that username case sensitivity is disabled for remote LDAP users. This option is provided only for legacy compatibility reasons. If enabled, it can lead to the bypass of two-factor authentication. Fabric Security Hardening
SH20.1 DNS Helper (blank) Fabric Security Hardening
Fabric Coverage AL02.2 FortiAnalyzer All FortiGates in the Security Fabric can connect to and authenticate with their configured FortiAnalyzer. Audit Logging & Monitoring
FS01.1 Compatible Firmware All devices in the Security Fabric should have compatible firmware versions. Firmware & Subscriptions
FS01.2 FortiAP Firmware Versions All FortiAPs should be running the latest firmware. Firmware & Subscriptions
FS01.3 FortiSwitch Firmware Versions All FortiSwitches should be running the latest firmware. Firmware & Subscriptions
FS02.1 FortiCare Support Appropriate devices should be registered with FortiCare and have valid support coverage. Firmware & Subscriptions
FS02.10 Firmware & General Updates Firmware & General Updates subscription should be valid. Firmware & Subscriptions
FS02.11 Indicators of Compromise For compromised hosts support the IoC subscription should be valid. Firmware & Subscriptions
FS02.2 IPS IPS subscription should be valid. Firmware & Subscriptions
FS02.3 AntiVirus AntiVirus subscription should be valid. Firmware & Subscriptions
FS02.5 Web Filtering Web Filtering subscription should be valid. Firmware & Subscriptions
FS02.6 Anti-Spam Anti-Spam subscription should be valid. Firmware & Subscriptions
FS02.8 Industrial DB Industrial DB subscription should be valid. Firmware & Subscriptions
FS02.9 Outbreak Prevention Outbreak Prevention subscription should be valid. Firmware & Subscriptions
FS03.1 Security Rating Security Rating subscription should be valid. Firmware & Subscriptions
FS05.1 Activate FortiCloud Services (blank) Firmware & Subscriptions
ND01.1 Unauthorized FortiSwitches All discovered FortiSwitches should be authorized or disabled. Network Design & Policies
ND01.2 Unauthorized FortiAPs All discovered FortiAPs should be authorized or disabled. Network Design & Policies
ND06.1 Third Party Router & NAT Devices No third party router or NAT devices should be detected in the network. Network Design & Policies
TV01.1 Advanced Threat Protection Suspicious files should be submitted to FortiSandbox Appliance/FortiSandbox Cloud for inspection. Threat & Vulnerability Management
TV01.2 FortiSandbox All FortiGates in the Security Fabric can connect to their configured FortiSandbox. Threat & Vulnerability Management
Optimization ND03.1 Unused Policies All policies should be used. Network Design & Policies
PO01.10 Policy Inspection Mode Policies should not combine proxy and flow inspection modes. Performance Optimization
PO04.1 Managed Switch Capacity Exceeded on FortiGate Number of managed FortiSwitch should not exceed 80% of the FortiGate's maximum capacity (table size). We suggest upgrading (or adding more FortiGate if the model already has maximum table size) when the threshold is reached. Performance Optimization
PO04.2 Redundant FortiLinks Should have redundant FortiLink between FortiGate and FortiSwitch. We suggest adding FortiLink if there is only 1 FortiLink. Switches not directly connected to FGT are exempt. Performance Optimization
PO04.3 Enable MC-LAG Detect switch peer candidates that can form a tier-1 MC-LAG. Performance Optimization
PO04.4 Redundant ISL Should have redundant inter-switch links between FortiSwitches. Performance Optimization
PO04.5 Enable STP

Once the network topology is stable, enable STP on the FortiSwitch ports to avoid a switching loop.

 Performance Optimization
PO04.6 Lockdown LLDP Profile Edge ports should have LLDP profile locked down to avoid accidental growth in network topology. Performance Optimization

For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

Previous
Next