Security rating
Security audit checks are updated to match evolving vulnerability exploits and attacks. The security fabric rating service helps the security and network teams keep up with changing compliance and regulatory standards by identifying opportunities to improve the system configuration and automate processes. The security rating applies to all devices in your Security Fabric, and uses real-time monitoring to analyze your Security Fabric deployment, identify potential vulnerabilities, highlight best practices that can be used to improve the security and performance of your network, and calculate Security Fabric scores.
The security rating gives grades in the following sections:
-
Fabric Security Hardening
-
Audit Logging & Monitoring
-
Threat & Vulnerability Management
-
Network Design & Policies
-
Endpoint Management
-
Firmware & Subscriptions
-
Performance Optimization
The rating also adds consideration for industry standards, such as NIST, PCI DSS compliance, GDPR, and CIS.
Enabling the Security Fabric and rating service allows you to easily identify key deficiencies, take action based on automated recommendations, secure your entire fabric, and passively monitor based on your Security Fabric scores.
The following table lists the security rating tests that are included with FortiOS and do not require a license. The table is grouped by the Score Care category (for example, Security Posture, Fabric Coverage and Optimization) and sorted by the FSBP ID.
Score Card Category |
FSBP ID |
Name |
Description |
Category |
---|---|---|---|---|
Security Posture | AL02.1 | Centralized Logging & Reporting | Logging and reporting should be done in a centralized place. | Audit Logging & Monitoring |
EM01.1 | Endpoint Registration | Interfaces which are classified as "LAN" and are used by a policy should have Security Fabric Connection enabled. | Endpoint Management | |
EM01.2 | FortiClient Vulnerabilities | All registered FortiClient devices should have no critical vulnerabilities. | Endpoint Management | |
ND02.4 | FortiAP UTM SSID Compatibility | (blank) | Network Design & Policies | |
ND04.1 | LAN Segment Servers | Servers should be placed behind interfaces classified as "DMZ". | Network Design & Policies | |
ND05.2 | VLAN Management | Non-FortiLink interfaces should not have multiple VLANs configured on them. | Network Design & Policies | |
ND07.1 | Device Discovery | Interfaces which are classified as "LAN" or "DMZ" and are used by a policy should have device detection enabled. | Network Design & Policies | |
ND08.1 | Interface Classification | All interfaces used by a policy should be classified as either 'LAN', 'WAN', or 'DMZ'. | Network Design & Policies | |
ND09.1 | Detect Botnet Connections | Policies should block or monitor outgoing connections to botnet sites. | Network Design & Policies | |
ND10.1 | Explicit Interface Policies | Polices that allow traffic should not be using the "any" interface. | Network Design & Policies | |
SH01.1 | Unsecure Protocol - Telnet | Interfaces currently in use should not allow TELNET administrative access. | Fabric Security Hardening | |
SH01.11 | Unsecure Protocol - TFTP | (blank) | Fabric Security Hardening | |
SH01.2 | Unsecure Protocol - HTTP | Interfaces currently in use should not allow HTTP administrative access. | Fabric Security Hardening | |
SH03.1 | Valid HTTPS Certificate - Administrative GUI | The administrative GUI should be using a valid and secure certificate. | Fabric Security Hardening | |
SH04.1 | Valid HTTPS Certificate - SSL-VPN | SSL-VPN should be using a valid and secure certificate. | Fabric Security Hardening | |
SH05.1 | Admin Password Policy | A password policy should be set up for system administrators. | Fabric Security Hardening | |
SH09.7 | LDAP Server Identity Check | Verify that server-identity-check is enabled for LDAP Servers to ensure certificate validation takes place. While this is the default option in a clean install, it may not be set if upgrading from older releases. | Fabric Security Hardening | |
SH09.8 | Disable Username Sensitivity Check | Verify that username case sensitivity is disabled for remote LDAP users. This option is provided only for legacy compatibility reasons. If enabled, it can lead to the bypass of two-factor authentication. | Fabric Security Hardening | |
SH20.1 | DNS Helper | (blank) | Fabric Security Hardening | |
Fabric Coverage | AL02.2 | FortiAnalyzer | All FortiGates in the Security Fabric can connect to and authenticate with their configured FortiAnalyzer. | Audit Logging & Monitoring |
FS01.1 | Compatible Firmware | All devices in the Security Fabric should have compatible firmware versions. | Firmware & Subscriptions | |
FS01.2 | FortiAP Firmware Versions | All FortiAPs should be running the latest firmware. | Firmware & Subscriptions | |
FS01.3 | FortiSwitch Firmware Versions | All FortiSwitches should be running the latest firmware. | Firmware & Subscriptions | |
FS02.1 | FortiCare Support | Appropriate devices should be registered with FortiCare and have valid support coverage. | Firmware & Subscriptions | |
FS02.10 | Firmware & General Updates | Firmware & General Updates subscription should be valid. | Firmware & Subscriptions | |
FS02.11 | Indicators of Compromise | For compromised hosts support the IoC subscription should be valid. | Firmware & Subscriptions | |
FS02.2 | IPS | IPS subscription should be valid. | Firmware & Subscriptions | |
FS02.3 | AntiVirus | AntiVirus subscription should be valid. | Firmware & Subscriptions | |
FS02.5 | Web Filtering | Web Filtering subscription should be valid. | Firmware & Subscriptions | |
FS02.6 | Anti-Spam | Anti-Spam subscription should be valid. | Firmware & Subscriptions | |
FS02.8 | Industrial DB | Industrial DB subscription should be valid. | Firmware & Subscriptions | |
FS02.9 | Outbreak Prevention | Outbreak Prevention subscription should be valid. | Firmware & Subscriptions | |
FS03.1 | Security Rating | Security Rating subscription should be valid. | Firmware & Subscriptions | |
FS05.1 | Activate FortiCloud Services | (blank) | Firmware & Subscriptions | |
ND01.1 | Unauthorized FortiSwitches | All discovered FortiSwitches should be authorized or disabled. | Network Design & Policies | |
ND01.2 | Unauthorized FortiAPs | All discovered FortiAPs should be authorized or disabled. | Network Design & Policies | |
ND06.1 | Third Party Router & NAT Devices | No third party router or NAT devices should be detected in the network. | Network Design & Policies | |
TV01.1 | Advanced Threat Protection | Suspicious files should be submitted to FortiSandbox Appliance/FortiSandbox Cloud for inspection. | Threat & Vulnerability Management | |
TV01.2 | FortiSandbox | All FortiGates in the Security Fabric can connect to their configured FortiSandbox. | Threat & Vulnerability Management | |
Optimization | ND03.1 | Unused Policies | All policies should be used. | Network Design & Policies |
PO01.10 | Policy Inspection Mode | Policies should not combine proxy and flow inspection modes. | Performance Optimization | |
PO04.1 | Managed Switch Capacity Exceeded on FortiGate | Number of managed FortiSwitch should not exceed 80% of the FortiGate's maximum capacity (table size). We suggest upgrading (or adding more FortiGate if the model already has maximum table size) when the threshold is reached. | Performance Optimization | |
PO04.2 | Redundant FortiLinks | Should have redundant FortiLink between FortiGate and FortiSwitch. We suggest adding FortiLink if there is only 1 FortiLink. Switches not directly connected to FGT are exempt. | Performance Optimization | |
PO04.3 | Enable MC-LAG | Detect switch peer candidates that can form a tier-1 MC-LAG. | Performance Optimization | |
PO04.4 | Redundant ISL | Should have redundant inter-switch links between FortiSwitches. | Performance Optimization | |
PO04.5 | Enable STP |
Once the network topology is stable, enable STP on the FortiSwitch ports to avoid a switching loop. |
Performance Optimization | |
PO04.6 | Lockdown LLDP Profile | Edge ports should have LLDP profile locked down to avoid accidental growth in network topology. | Performance Optimization |
For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.