Fortinet white logo
Fortinet white logo

Administration Guide

Security rating

Security rating

The security rating uses real-time monitoring to analyze your Security Fabric deployment, identify potential vulnerabilities, highlight best practices that can be used to improve the security and performance of your network, and calculate Security Fabric scores.

To view the security rating, go to Security Fabric > Security Rating on the root FortiGate.

The Security Rating page is separated into three major scorecards: Security Posture, Fabric Coverage, and Optimization, which provide an executive summary of the three largest areas of security focus in the Security Fabric.

The scorecards show an overall letter grade and breakdown of the performance in sub-categories. Clicking a scorecard drills down to a detailed report of itemized results and compliance recommendations. The point score represents the net score for all passed and failed items in that area. In the drill down report, hover the cursor over a score to view the calculation breakdown.

The report includes the security controls that were tested against, linking to specific FSBP or PCI compliance policies. Click the FSBP and PCI buttons to reference the corresponding standard. Users can search or filter the report results. If there is a failed check on the scorecard, there is a link in the Recommendations section that takes you to the page to resolve the problem.

Certain remediations marked with an EZ symbol represent configuration recommendations that support Easy Apply. In the panel on the right, in the Recommendations section, click Apply to apply the changes to resolve the failed security control.

The report table can be customized by adding more columns, such as Category, to view, filter, or sort the results based on scorecard categories. Click the gear icon to customize the table.

Users can also export the reports as CSV or JSON files by clicking the Export dropdown.

Tooltip

To exit the current view, click the icon beside the scorecard title to return to the summary view.

For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

Note

The following licensing options are available for security rating checks:

  • A base set of free checks
  • A licensed set that requires a FortiGuard Security Rating Service subscription

The base set can be run locally on any FortiGate and on all other devices in the Security Fabric. For a list of base and licensed security rating checks, see FortiGuard Security Rating Service.

Security rating notifications

Security rating notifications are shown on settings pages, which list configuration issues determined by the security rating report. You can open the recommendations to see which items need to be fixed. Notifications can be dismissed in the GUI. Dismissed issues are unique for each administrator. Hashes for dismissed notifications are saved in local storage. If a user clears the local storage, all issues will show up again as not dismissed.

Notification locations

On the System > Settings page, there is a Security Rating Issues section in the right-side gutter. To dismiss a notification, hover over the issue and click the X beside it. To view dismissed notifications, enable Show Dismissed.

On the Network > Interfaces page, there is a Security Rating Issues section in the table footer. Click Security Rating Issues to view the list of issues. To dismiss a notification, click the X beside it. To view dismissed notifications, click Show Dismissed.

Notification pop-ups

When you click a security rating notification, a pop-up appears and the related setting is highlighted in the GUI. The pop-up contains a description of the problem and a timestamp of when the issue was found.

Once an issue is resolved, the notification disappears after the next security rating report runs.

PSIRT-related notifications

On a FortiGate with a valid Security Rating license, the separate Security Rating package downloaded from FortiGuard supports PSIRT vulnerabilities, which are highlighted in security rating results.

To verify the FortiGuard license entitlement in the GUI:
  1. Go to System > FortiGuard and expand the License Information table.
  2. Check that Security Rating appears in the list and the license is valid.

To verify the FortiGuard license entitlement in the CLI:
# diagnose autoupdate versions
...
Security Rating Data Package
---------
Version: 4.00008
Contract Expiry Date: Sun Jun 18 2023
Last Updated using scheduled update on Thu Jun 23 15:48:13 2022
Last Update Attempt: Thu Jun 23 15:48:13 2022
Result: Updates Installed

FDS Address
---------
173.243.140.6:443

The following notifications are visible in the GUI.

  • Warning message: if the security rating result indicates a vulnerability with a critical severity, then the FortiOS GUI displays a warning message in the header and a new notification under the bell icon. The View Vulnerability link appears in the header for global administrators.

    Clicking the warning message redirects to the System > Fabric Management page, where users are encouraged to update any affected Fortinet Fabric devices to the latest firmware releases to resolve the critical vulnerabilities.

  • Security Rating page: when a failed result is selected, the security panel provides a description of the PSIRT vulnerability for failed results.

    The Recommendations section includes a link to the System > Fabric Management page to update the firmware.

    In the search bar, use PSIRT keywords to filter for PSIRT vulnerabilities.

  • Tooltip: a tooltip for the critical vulnerability label on the System > Fabric Management page lists the vulnerability, and it links to the Security Fabric > Security Rating page where more details about the vulnerability are displayed.

Security rating check scheduling

Security rating checks by default are scheduled to run automatically every four hours.

To disable automatic security checks using the CLI:
config system global
    security-rating-run-on-schedule disable
end
To manually run a report using the CLI:
# diagnose report-runner trigger

Logging the security rating

The results of past security checks are available on the Log & Report > System Events page. Click the Security Rating Events card to see the detailed log.

An event filter subtype can be created for the Security Fabric rating so event logs are created on the root FortiGate that summarize the results and show detailed information for the individual tests.

To configure security rating logging using the CLI:
config log eventfilter
    set security-rating enable
end

Multi VDOM mode

In multi VDOM mode, security rating reports can be generated in the Global VDOM for all of the VDOMs on the device. Administrators with read/write access can run the security rating report in the Global VDOM. Administrators with read-only access can only view the report.

On the report scorecards, the Scope column shows the VDOMs that the check was run on. On checks that support Easy Apply, the remediation can be run on all of the associated VDOMs.

Global scope:

VDOM scope:

The security rating event log is available on the root VDOM.

Security rating

Security rating

The security rating uses real-time monitoring to analyze your Security Fabric deployment, identify potential vulnerabilities, highlight best practices that can be used to improve the security and performance of your network, and calculate Security Fabric scores.

To view the security rating, go to Security Fabric > Security Rating on the root FortiGate.

The Security Rating page is separated into three major scorecards: Security Posture, Fabric Coverage, and Optimization, which provide an executive summary of the three largest areas of security focus in the Security Fabric.

The scorecards show an overall letter grade and breakdown of the performance in sub-categories. Clicking a scorecard drills down to a detailed report of itemized results and compliance recommendations. The point score represents the net score for all passed and failed items in that area. In the drill down report, hover the cursor over a score to view the calculation breakdown.

The report includes the security controls that were tested against, linking to specific FSBP or PCI compliance policies. Click the FSBP and PCI buttons to reference the corresponding standard. Users can search or filter the report results. If there is a failed check on the scorecard, there is a link in the Recommendations section that takes you to the page to resolve the problem.

Certain remediations marked with an EZ symbol represent configuration recommendations that support Easy Apply. In the panel on the right, in the Recommendations section, click Apply to apply the changes to resolve the failed security control.

The report table can be customized by adding more columns, such as Category, to view, filter, or sort the results based on scorecard categories. Click the gear icon to customize the table.

Users can also export the reports as CSV or JSON files by clicking the Export dropdown.

Tooltip

To exit the current view, click the icon beside the scorecard title to return to the summary view.

For more information about security ratings, and details about each of the checks that are performed, go to Security Best Practices & Security Rating Feature.

Note

The following licensing options are available for security rating checks:

  • A base set of free checks
  • A licensed set that requires a FortiGuard Security Rating Service subscription

The base set can be run locally on any FortiGate and on all other devices in the Security Fabric. For a list of base and licensed security rating checks, see FortiGuard Security Rating Service.

Security rating notifications

Security rating notifications are shown on settings pages, which list configuration issues determined by the security rating report. You can open the recommendations to see which items need to be fixed. Notifications can be dismissed in the GUI. Dismissed issues are unique for each administrator. Hashes for dismissed notifications are saved in local storage. If a user clears the local storage, all issues will show up again as not dismissed.

Notification locations

On the System > Settings page, there is a Security Rating Issues section in the right-side gutter. To dismiss a notification, hover over the issue and click the X beside it. To view dismissed notifications, enable Show Dismissed.

On the Network > Interfaces page, there is a Security Rating Issues section in the table footer. Click Security Rating Issues to view the list of issues. To dismiss a notification, click the X beside it. To view dismissed notifications, click Show Dismissed.

Notification pop-ups

When you click a security rating notification, a pop-up appears and the related setting is highlighted in the GUI. The pop-up contains a description of the problem and a timestamp of when the issue was found.

Once an issue is resolved, the notification disappears after the next security rating report runs.

PSIRT-related notifications

On a FortiGate with a valid Security Rating license, the separate Security Rating package downloaded from FortiGuard supports PSIRT vulnerabilities, which are highlighted in security rating results.

To verify the FortiGuard license entitlement in the GUI:
  1. Go to System > FortiGuard and expand the License Information table.
  2. Check that Security Rating appears in the list and the license is valid.

To verify the FortiGuard license entitlement in the CLI:
# diagnose autoupdate versions
...
Security Rating Data Package
---------
Version: 4.00008
Contract Expiry Date: Sun Jun 18 2023
Last Updated using scheduled update on Thu Jun 23 15:48:13 2022
Last Update Attempt: Thu Jun 23 15:48:13 2022
Result: Updates Installed

FDS Address
---------
173.243.140.6:443

The following notifications are visible in the GUI.

  • Warning message: if the security rating result indicates a vulnerability with a critical severity, then the FortiOS GUI displays a warning message in the header and a new notification under the bell icon. The View Vulnerability link appears in the header for global administrators.

    Clicking the warning message redirects to the System > Fabric Management page, where users are encouraged to update any affected Fortinet Fabric devices to the latest firmware releases to resolve the critical vulnerabilities.

  • Security Rating page: when a failed result is selected, the security panel provides a description of the PSIRT vulnerability for failed results.

    The Recommendations section includes a link to the System > Fabric Management page to update the firmware.

    In the search bar, use PSIRT keywords to filter for PSIRT vulnerabilities.

  • Tooltip: a tooltip for the critical vulnerability label on the System > Fabric Management page lists the vulnerability, and it links to the Security Fabric > Security Rating page where more details about the vulnerability are displayed.

Security rating check scheduling

Security rating checks by default are scheduled to run automatically every four hours.

To disable automatic security checks using the CLI:
config system global
    security-rating-run-on-schedule disable
end
To manually run a report using the CLI:
# diagnose report-runner trigger

Logging the security rating

The results of past security checks are available on the Log & Report > System Events page. Click the Security Rating Events card to see the detailed log.

An event filter subtype can be created for the Security Fabric rating so event logs are created on the root FortiGate that summarize the results and show detailed information for the individual tests.

To configure security rating logging using the CLI:
config log eventfilter
    set security-rating enable
end

Multi VDOM mode

In multi VDOM mode, security rating reports can be generated in the Global VDOM for all of the VDOMs on the device. Administrators with read/write access can run the security rating report in the Global VDOM. Administrators with read-only access can only view the report.

On the report scorecards, the Scope column shows the VDOMs that the check was run on. On checks that support Easy Apply, the remediation can be run on all of the associated VDOMs.

Global scope:

VDOM scope:

The security rating event log is available on the root VDOM.