Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.0 Administration Guide
    7.6.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Security Controls

    Security Controls

    On the Security Fabric > Security Rating page, the Security Controls tab displays the results for all security rating checks:

    • A summary chart identifies of how many items passed, failed, or are exempt from security rating checks.

    • Categories against which the security rating tests were run are identified (such as Uncategorized, Audit Logging & Monitoring, Data Protection, and so on) and the assigned grade for each category is displayed (such as A, B, F, and so on).

      The letter grade is calculated based on the percent of tests in a category that passed:

      • A = 90% and above

      • B = 77% to <90%

      • C = 60% to <77%

      • D = 50% to <60%

      • F = Less than 50%

      For example, if eight out of ten tests in a category passed, then 80% of the tests passed, and the category would be given a B grade.

    • A report of details that is organized in the following security rating categories: Fabric Coverage (available for devices in a Security Fabric), Optimization, Security Posture, and Uncategorized. Expand each category to display rows of test details. Click each row to display the Test Details pane.

    Note

    The following licensing options are available for security rating checks:

    • A base set of free checks
    • A licensed set that requires a FortiGuard Security Rating Service subscription

    The base set can be run locally on any FortiGate and on all other devices in the Security Fabric. For a list of base and licensed security rating checks, see FortiGuard Security Rating Service.

    For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

    To view security controls:

    1. On the root FortiGate, go to Security Fabric > Security Rating. The Security Controls pane opens.

    2. For the graded test categories, hover the cursor over a test category to view the calculation breakdown.

    3. For the summary chart, click the Passed, Failed, or Exempt words or associated colors in the chart to filter the report results.

      For example, click Failed to display only failed tests in the report.

      Click Result to remove the filter, or click the X beside the filter in the Search bar

    4. Expand each security rating category in the report to view its details.

    5. In the report, click each row to view its Test details pane, which includes two tabs: Results and Info & Compliance.

      Click Details to hide and display the Test details pane for a selected row in the report.

      If a test category failed, the Results section includes a link to the GUI page where you can resolve the problem.

      The Info & Compliance tab includes the security controls used for the test and links to specific FSBP, PCI, or CIS compliance policies.

    6. Select FSBP, PCI, or CIS to filter the report for the selected compliance policy.

      Note

      The FortiGate must have a valid Attack Surface Security Rating license to view security ratings grouped by CIS.

    7. Click Export to export the report to a CSV or JSON file.

    8. Click the gear icon to customize the report table by adding more columns.

    Tooltip

    To exit the current view, click the x beside the search item to return to the summary view.

    Multi-VDOM mode

    In multi-VDOM mode, security rating reports can be generated in the Global VDOM for all of the VDOMs on the device. Administrators with read/write access can run the security rating report in the Global VDOM. Administrators with read-only access can only view the report.

    On the report scorecards, the Scope column shows the VDOMs that the check was run on.

    Global scope:

    VDOM scope:

    The security rating event log is available on the root VDOM.

    Security rating check scheduling

    By default, security rating checks are scheduled to run automatically every four hours.

    The security rating checks also run automatically in between scheduled checks when relevant configuration changes are made to keep the results current with the latest configuration changes.

    To disable automatic security checks using the CLI:
    config system global
    security-rating-run-on-schedule disable
end
    To manually run a report using the CLI:
    # diagnose report-runner trigger
    Previous
    Next

    Security Controls

    Security Controls

    On the Security Fabric > Security Rating page, the Security Controls tab displays the results for all security rating checks:

    • A summary chart identifies of how many items passed, failed, or are exempt from security rating checks.

    • Categories against which the security rating tests were run are identified (such as Uncategorized, Audit Logging & Monitoring, Data Protection, and so on) and the assigned grade for each category is displayed (such as A, B, F, and so on).

      The letter grade is calculated based on the percent of tests in a category that passed:

      • A = 90% and above

      • B = 77% to <90%

      • C = 60% to <77%

      • D = 50% to <60%

      • F = Less than 50%

      For example, if eight out of ten tests in a category passed, then 80% of the tests passed, and the category would be given a B grade.

    • A report of details that is organized in the following security rating categories: Fabric Coverage (available for devices in a Security Fabric), Optimization, Security Posture, and Uncategorized. Expand each category to display rows of test details. Click each row to display the Test Details pane.

    Note

    The following licensing options are available for security rating checks:

    • A base set of free checks
    • A licensed set that requires a FortiGuard Security Rating Service subscription

    The base set can be run locally on any FortiGate and on all other devices in the Security Fabric. For a list of base and licensed security rating checks, see FortiGuard Security Rating Service.

    For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

    To view security controls:

    1. On the root FortiGate, go to Security Fabric > Security Rating. The Security Controls pane opens.

    2. For the graded test categories, hover the cursor over a test category to view the calculation breakdown.

    3. For the summary chart, click the Passed, Failed, or Exempt words or associated colors in the chart to filter the report results.

      For example, click Failed to display only failed tests in the report.

      Click Result to remove the filter, or click the X beside the filter in the Search bar

    4. Expand each security rating category in the report to view its details.

    5. In the report, click each row to view its Test details pane, which includes two tabs: Results and Info & Compliance.

      Click Details to hide and display the Test details pane for a selected row in the report.

      If a test category failed, the Results section includes a link to the GUI page where you can resolve the problem.

      The Info & Compliance tab includes the security controls used for the test and links to specific FSBP, PCI, or CIS compliance policies.

    6. Select FSBP, PCI, or CIS to filter the report for the selected compliance policy.

      Note

      The FortiGate must have a valid Attack Surface Security Rating license to view security ratings grouped by CIS.

    7. Click Export to export the report to a CSV or JSON file.

    8. Click the gear icon to customize the report table by adding more columns.

    Tooltip

    To exit the current view, click the x beside the search item to return to the summary view.

    Multi-VDOM mode

    In multi-VDOM mode, security rating reports can be generated in the Global VDOM for all of the VDOMs on the device. Administrators with read/write access can run the security rating report in the Global VDOM. Administrators with read-only access can only view the report.

    On the report scorecards, the Scope column shows the VDOMs that the check was run on.

    Global scope:

    VDOM scope:

    The security rating event log is available on the root VDOM.

    Security rating check scheduling

    By default, security rating checks are scheduled to run automatically every four hours.

    The security rating checks also run automatically in between scheduled checks when relevant configuration changes are made to keep the results current with the latest configuration changes.

    To disable automatic security checks using the CLI:
    config system global
    security-rating-run-on-schedule disable
end
    To manually run a report using the CLI:
    # diagnose report-runner trigger
    Previous
    Next