Fortinet white logo
Fortinet white logo

Administration Guide

Security rating

Security rating

The security rating uses real-time monitoring to analyze your Security Fabric deployment, identify potential vulnerabilities, highlight best practices that can be used to improve the security and performance of your network, and calculate Security Fabric scores.

To view the security rating, go to Security Fabric > Security Rating on the root FortiGate.

The Security Rating page is separated into three major scorecards: Security Posture, Fabric Coverage, and Optimization, which provide an executive summary of the three largest areas of security focus in the Security Fabric.

The scorecards show an overall letter grade and breakdown of the performance in sub-categories. The letter grade is calculated based on the percent of tests in a category that passed:

  • A = 90% and above

  • B = 77% to <90%

  • C = 60% to <77%

  • D = 50% to <60%

  • F = Less than 50%

For example, if eight out of ten tests in a category passed, then 80% of the tests passed, and the category would be given a B grade.

Clicking a scorecard drills down to a detailed report of itemized results and compliance recommendations. The point score represents the net score for all passed and failed items in that area. In the drill down report, hover the cursor over a score to view the calculation breakdown.

The report includes the security controls that were tested against, linking to specific FSBP, PCI, or CIS compliance policies. In the dropdown, select FSBP, PCI, or CIS to reference the corresponding standard.

Note

The FortiGate must have a valid Attack Surface Security Rating license to view security ratings grouped by CIS.

Users can search or filter the report results. If there is a failed check on the scorecard, there is a link in the Recommendations section that takes you to the page to resolve the problem.

Certain remediations marked with an EZ symbol represent configuration recommendations that support Easy Apply. In the panel on the right, in the Recommendations section, click Apply to apply the changes to resolve the failed security control.

The report table can be customized by adding more columns, such as Category, to view, filter, or sort the results based on scorecard categories. Click the gear icon to customize the table.

Users can also export the reports as CSV or JSON files by clicking the Export dropdown.

Tooltip

To exit the current view, click the icon beside the scorecard title to return to the summary view.

For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

Note

The following licensing options are available for security rating checks:

  • A base set of free checks
  • A licensed set that requires a FortiGuard Security Rating Service subscription

The base set can be run locally on any FortiGate and on all other devices in the Security Fabric. For a list of base and licensed security rating checks, see FortiGuard Security Rating Service.

Security rating notifications

Security rating notifications are shown on settings pages, which list configuration issues determined by the security rating report. You can open the recommendations to see which items need to be fixed. Notifications can be dismissed in the GUI. Dismissed issues are unique for each administrator. Hashes for dismissed notifications are saved in local storage. If a user clears the local storage, all issues will show up again as not dismissed.

Notification locations

On the System > Settings page, there is a Security Rating Issues section in the right-side gutter. To dismiss a notification, hover over the issue and click the X beside it. To view dismissed notifications, enable Show Dismissed.

On the Network > Interfaces page, there is a Security Rating Issues section in the table footer. Click Security Rating Issues to view the list of issues. To dismiss a notification, click the X beside it. To view dismissed notifications, click Show Dismissed.

Notification pop-ups

When you click a security rating notification, a pop-up appears and the related setting is highlighted in the GUI. The pop-up contains a description of the problem and a timestamp of when the issue was found.

Once an issue is resolved, the notification disappears after the next security rating report runs.

PSIRT-related notifications

On a FortiGate with a valid Firmware license, the separate Security Rating package downloaded from FortiGuard supports PSIRT vulnerabilities, which are highlighted in security rating results. PSIRT Package Definitions are part of the Firmware entitlement.

To verify the FortiGuard license entitlement in the GUI:
  1. Go to System > FortiGuard and expand the License Information table.

  2. Expand the Firmware & General Updates section.

  3. Check that PSIRT Package Definitions appears in the list and the license is valid.

To verify the FortiGuard license entitlement in the CLI:
# diagnose autoupdate versions
...
Security Rating Data Package
---------
Version: 5.00022
Contract Expiry Date: Fri Nov 24 2023
Last Updated using scheduled update on Mon Sep 11 09:44:21 2023
Last Update Attempt: Tue Sep 12 16:29:10 2023
Result: No Updates

The following notifications are visible in the GUI.

  • Warning message: if the security rating result indicates a vulnerability with a critical severity, then the FortiOS GUI displays a warning message in the header and a new notification under the bell icon. The View Vulnerability link appears in the header for global administrators.

    Clicking the warning message redirects to the System > Firmware & Registration page, where users are encouraged to update any affected Fortinet Fabric devices to the latest firmware releases to resolve the critical vulnerabilities.

  • Security Rating page: when a failed result is selected, the security panel provides a description of the PSIRT vulnerability for failed results.

    The Recommendations section includes a link to the System > Firmware & Registration page to update the firmware.

    In the search bar, use PSIRT keywords to filter for PSIRT vulnerabilities.

  • Tooltip: a tooltip for the critical vulnerability label on the System > Firmware & Registration page lists the vulnerability, and it links to the Security Fabric > Security Rating page where more details about the vulnerability are displayed.

To view vulnerability results after performing security rating scan:
# diagnose report-runner vuln-read
Index: 0
Name: FG-IR-23-001: FortiOS / FortiManager / FortiAnalyzer / FortiWeb / FortiProxy / FortiSwitchManager - Heap buffer underflow in administrative interface
FortiGate Serial: FGVM02TM23000000
To clear the vulnerability result:
# diagnose report-runner vuln-clean 
Deleted temporary critical vulnerability file

FortiGuard IoT vulnerability-related checks

There are two rating checks in the Security Posture report related to IoT vulnerabilities:

  • The FortiGuard IoT Detection Subscription rating check will pass if the System > FortiGuard page shows that the IoT Detection Definitions (under the Attack Surface Security Rating entitlement) is licensed. In this example, the result is marked as Passed because the license is valid.

  • The FortiGuard IoT Vulnerability rating check will fail if any IoT vulnerabilities are found. In this example, the result is marked as Failed because there is a device with IoT vulnerabilities.

    In the Recommendations section, hover over the device name to display the tooltip, which includes an option to View IoT Vulnerabilities.

Note

To detect IoT vulnerabilities, the FortiGate must have a valid IoT Definitions license, device detection must be configured on a LAN interface used by IoT devices, and a firewall policy with an application control sensor must be configured.

Security rating check scheduling

Security rating checks by default are scheduled to run automatically every four hours.

To disable automatic security checks using the CLI:
config system global
    security-rating-run-on-schedule disable
end
To manually run a report using the CLI:
# diagnose report-runner trigger

Logging the security rating

The results of past security checks are available on the Log & Report > System Events page. Click the Security Rating Events card to see the detailed log.

An event filter subtype can be created for the Security Fabric rating so event logs are created on the root FortiGate that summarize the results and show detailed information for the individual tests.

To configure security rating logging using the CLI:
config log eventfilter
    set security-rating enable
end

Multi VDOM mode

In multi VDOM mode, security rating reports can be generated in the Global VDOM for all of the VDOMs on the device. Administrators with read/write access can run the security rating report in the Global VDOM. Administrators with read-only access can only view the report.

On the report scorecards, the Scope column shows the VDOMs that the check was run on. On checks that support Easy Apply, the remediation can be run on all of the associated VDOMs.

Global scope:

VDOM scope:

The security rating event log is available on the root VDOM.

Security rating

Security rating

The security rating uses real-time monitoring to analyze your Security Fabric deployment, identify potential vulnerabilities, highlight best practices that can be used to improve the security and performance of your network, and calculate Security Fabric scores.

To view the security rating, go to Security Fabric > Security Rating on the root FortiGate.

The Security Rating page is separated into three major scorecards: Security Posture, Fabric Coverage, and Optimization, which provide an executive summary of the three largest areas of security focus in the Security Fabric.

The scorecards show an overall letter grade and breakdown of the performance in sub-categories. The letter grade is calculated based on the percent of tests in a category that passed:

  • A = 90% and above

  • B = 77% to <90%

  • C = 60% to <77%

  • D = 50% to <60%

  • F = Less than 50%

For example, if eight out of ten tests in a category passed, then 80% of the tests passed, and the category would be given a B grade.

Clicking a scorecard drills down to a detailed report of itemized results and compliance recommendations. The point score represents the net score for all passed and failed items in that area. In the drill down report, hover the cursor over a score to view the calculation breakdown.

The report includes the security controls that were tested against, linking to specific FSBP, PCI, or CIS compliance policies. In the dropdown, select FSBP, PCI, or CIS to reference the corresponding standard.

Note

The FortiGate must have a valid Attack Surface Security Rating license to view security ratings grouped by CIS.

Users can search or filter the report results. If there is a failed check on the scorecard, there is a link in the Recommendations section that takes you to the page to resolve the problem.

Certain remediations marked with an EZ symbol represent configuration recommendations that support Easy Apply. In the panel on the right, in the Recommendations section, click Apply to apply the changes to resolve the failed security control.

The report table can be customized by adding more columns, such as Category, to view, filter, or sort the results based on scorecard categories. Click the gear icon to customize the table.

Users can also export the reports as CSV or JSON files by clicking the Export dropdown.

Tooltip

To exit the current view, click the icon beside the scorecard title to return to the summary view.

For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

Note

The following licensing options are available for security rating checks:

  • A base set of free checks
  • A licensed set that requires a FortiGuard Security Rating Service subscription

The base set can be run locally on any FortiGate and on all other devices in the Security Fabric. For a list of base and licensed security rating checks, see FortiGuard Security Rating Service.

Security rating notifications

Security rating notifications are shown on settings pages, which list configuration issues determined by the security rating report. You can open the recommendations to see which items need to be fixed. Notifications can be dismissed in the GUI. Dismissed issues are unique for each administrator. Hashes for dismissed notifications are saved in local storage. If a user clears the local storage, all issues will show up again as not dismissed.

Notification locations

On the System > Settings page, there is a Security Rating Issues section in the right-side gutter. To dismiss a notification, hover over the issue and click the X beside it. To view dismissed notifications, enable Show Dismissed.

On the Network > Interfaces page, there is a Security Rating Issues section in the table footer. Click Security Rating Issues to view the list of issues. To dismiss a notification, click the X beside it. To view dismissed notifications, click Show Dismissed.

Notification pop-ups

When you click a security rating notification, a pop-up appears and the related setting is highlighted in the GUI. The pop-up contains a description of the problem and a timestamp of when the issue was found.

Once an issue is resolved, the notification disappears after the next security rating report runs.

PSIRT-related notifications

On a FortiGate with a valid Firmware license, the separate Security Rating package downloaded from FortiGuard supports PSIRT vulnerabilities, which are highlighted in security rating results. PSIRT Package Definitions are part of the Firmware entitlement.

To verify the FortiGuard license entitlement in the GUI:
  1. Go to System > FortiGuard and expand the License Information table.

  2. Expand the Firmware & General Updates section.

  3. Check that PSIRT Package Definitions appears in the list and the license is valid.

To verify the FortiGuard license entitlement in the CLI:
# diagnose autoupdate versions
...
Security Rating Data Package
---------
Version: 5.00022
Contract Expiry Date: Fri Nov 24 2023
Last Updated using scheduled update on Mon Sep 11 09:44:21 2023
Last Update Attempt: Tue Sep 12 16:29:10 2023
Result: No Updates

The following notifications are visible in the GUI.

  • Warning message: if the security rating result indicates a vulnerability with a critical severity, then the FortiOS GUI displays a warning message in the header and a new notification under the bell icon. The View Vulnerability link appears in the header for global administrators.

    Clicking the warning message redirects to the System > Firmware & Registration page, where users are encouraged to update any affected Fortinet Fabric devices to the latest firmware releases to resolve the critical vulnerabilities.

  • Security Rating page: when a failed result is selected, the security panel provides a description of the PSIRT vulnerability for failed results.

    The Recommendations section includes a link to the System > Firmware & Registration page to update the firmware.

    In the search bar, use PSIRT keywords to filter for PSIRT vulnerabilities.

  • Tooltip: a tooltip for the critical vulnerability label on the System > Firmware & Registration page lists the vulnerability, and it links to the Security Fabric > Security Rating page where more details about the vulnerability are displayed.

To view vulnerability results after performing security rating scan:
# diagnose report-runner vuln-read
Index: 0
Name: FG-IR-23-001: FortiOS / FortiManager / FortiAnalyzer / FortiWeb / FortiProxy / FortiSwitchManager - Heap buffer underflow in administrative interface
FortiGate Serial: FGVM02TM23000000
To clear the vulnerability result:
# diagnose report-runner vuln-clean 
Deleted temporary critical vulnerability file

FortiGuard IoT vulnerability-related checks

There are two rating checks in the Security Posture report related to IoT vulnerabilities:

  • The FortiGuard IoT Detection Subscription rating check will pass if the System > FortiGuard page shows that the IoT Detection Definitions (under the Attack Surface Security Rating entitlement) is licensed. In this example, the result is marked as Passed because the license is valid.

  • The FortiGuard IoT Vulnerability rating check will fail if any IoT vulnerabilities are found. In this example, the result is marked as Failed because there is a device with IoT vulnerabilities.

    In the Recommendations section, hover over the device name to display the tooltip, which includes an option to View IoT Vulnerabilities.

Note

To detect IoT vulnerabilities, the FortiGate must have a valid IoT Definitions license, device detection must be configured on a LAN interface used by IoT devices, and a firewall policy with an application control sensor must be configured.

Security rating check scheduling

Security rating checks by default are scheduled to run automatically every four hours.

To disable automatic security checks using the CLI:
config system global
    security-rating-run-on-schedule disable
end
To manually run a report using the CLI:
# diagnose report-runner trigger

Logging the security rating

The results of past security checks are available on the Log & Report > System Events page. Click the Security Rating Events card to see the detailed log.

An event filter subtype can be created for the Security Fabric rating so event logs are created on the root FortiGate that summarize the results and show detailed information for the individual tests.

To configure security rating logging using the CLI:
config log eventfilter
    set security-rating enable
end

Multi VDOM mode

In multi VDOM mode, security rating reports can be generated in the Global VDOM for all of the VDOMs on the device. Administrators with read/write access can run the security rating report in the Global VDOM. Administrators with read-only access can only view the report.

On the report scorecards, the Scope column shows the VDOMs that the check was run on. On checks that support Easy Apply, the remediation can be run on all of the associated VDOMs.

Global scope:

VDOM scope:

The security rating event log is available on the root VDOM.