Category Archives: FortiOS

Application Control is a free service

Application Control is a free service

Application Control is now a free FortiGuard service and the database for Application Control signatures is separate from the IPS database. However, Botnet Application signatures are still part of the IPS signature database since these are more closely related with security issues and less about application detection.

With the release of FortiOS 5.6.1, Application Control signature database information is displayed under on the System > FortiGuardpage in the FortiCare section. And the Botnet category is no longer available when searching the Application Signatures list.

IPS / Application Control logging performance

There is a major boost to Application Control and IPS when logging is enabled. With the latest changes, the performance difference with or without logging enabled is negligible.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiClient Profile changes

FortiClient Profile changes (386267, 375049)

FortiClient profiles have been changed in FortiOS 5.6 to include new protection features and to change organization of the GUI options. FortiClient profiles also use the FortiGate to warn or quarantine endpoints that are not compliant with a FortiClient profile.

A bug that prevented the Dialog and Device Inventory pages from loading when there is a large number of devices (for example, 10,000) has been fixed.

Default FortClient profile

FortiClient profiles allow you to perform vulnerability scans on endpoints and make sure endpoints are running compliant versions of FortiClient. Also, security posture features cause FortiClient to apply realtime protection, AntiVirus, web filtering, and application control on endpoints.

The default FortiClient profile also allows you to set a general Non-compliance action for endpoints that don’t have FortiClient installed on them. The non-compliance action can be block or warning and is applied by the FortiGate. Blocked endpoints are quarantined by the FortiGate.

Endpoint vulnerability scanning

Similar to FortiOS 5.4 you can set the FortiClient Profile to run the FortiClient vulnerability scanner on endpoints and you can set the Vulnerability quarantine level to quarantine endpoints that don’t comply.

FortiClient Profile changes (386267, 375049)                                                                             System compliance

The vulnerability scan Non-compliance action can block or warn endpoints if the vulnerability scan shows they do not meet the vulnerability quarantine level.

System compliance

FortiOS 5.6 system compliance settings are similar to those in 5.4 with the addition of a non-compliance action. System compliance checking is performed by FortiClient but the non-compliance action is applied by the FortiGate.

Security posture checking

Security posture checking collects realtime protection, antivirus protection, web filtering and application firewall features under the Security Posture Check heading.

Security posture checking                                                                     FortiClient Profile changes (386267, 375049)

Application Control is a free service                                                                                  Security posture checking


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

New FortiView Endpoint Vulnerability Scanner chart

New FortiView Endpoint Vulnerability Scanner chart (378647)

FortiOS 5.6.0 adds a new chart to illustrate Endpoint Control events: Endpoint Vulnerability.

This is a list/bubble chart, that tracks vulnerability events detected by the FortiClients running on all devices registered with the FortiGate. FortiView displays information about the vulnerability and the device on which it was detected.

Notes about the Endpoint Vulnerability Chart:

  • You can sort the list by Device or Vulnerability.
  • You can drill down into any device to see the Vulnerabilities detected. From there, you can drill down to see the exact Vulnerability Scan events that triggered the detection.
  • Select any Vulnerability Scan event to see the associated Log data.

Default FortClient profile                                                                       FortiClient Profile changes (386267, 375049)


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

NGFW Policy Mode

NGFW Policy Mode (371602)

You can operate your FortiGate or individual VDOMs in Next Generation Firewall (NGFW) Policy Mode.

You can enable NGFW policy mode by going to System > Settings, setting the Inspection mode to Flowbased and setting the NGFW mode to Policy-based. When selecting NGFW policy-based mode you also select the SSL/SSH Inspection mode that is applied to all policies

Flow-based inspection with profile-based NGFW mode is the default in FortiOS 5.6.

Or use the following CLI command:

config system settings set inspection-mode flow set policy-mode {standard | ngfw}

end

NGFW policy mode and NAT

If your FortiGate is operating in NAT mode, rather than enabling source NAT in individual NGFW policies you go to Policy & Objects > Central SNAT and add source NAT policies that apply to all matching traffic. In many cases you may only need one SNAT policy for each interface pair. For example, if you allow users on the internal network (connected to port1) to browse the Internet (connected to port2) you can add a port1 to port2 Central SNAT policy similar to the following:

Application control in NGFW policy mode                                                                      NGFW Policy Mode (371602)

Application control in NGFW policy mode

You configure Application Control simply by adding individual applications to security policies. You can set the action to accept or deny to allow or block the applications.

NGFW Policy Mode (371602)                                                                                     Web Filtering in NGFW mode

Web Filtering in NGFW mode

You configure Web Filtering by adding URL categories to security policies. You can set the action to accept or deny to allow or block the applications.

Other NGFW policy mode options                                                                                NGFW Policy Mode (371602)

Other NGFW policy mode options

You can also combine both application control and web filtering in the same NGFW policy mode policy. Also if the policy accepts applications or URL categories you can also apply Antivirus, DNS Filtering, and IPS profiles in NGFW mode policies as well a logging and policy learning mode.

 

New FortiView Endpoint Vulnerability Scanner chart (378647)                                  Other NGFW policy mode options


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Transparent web proxy

Transparent web proxy (386474)

In addition to the Explicit Web Proxy, FortiOS now supports a Transparent web proxy. While it does not have as many features as Explicit Web Proxy, the transparent proxy has the advantage that nothing needs to be done on the user’s system to forward supported web traffic over to the proxy. There is no need to reconfigure the browser or publish a PAC file. Everything is transparent to the end user, hence the name. This makes it easier to incorporate new users into a proxy deployment.

You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy. In previous versions of FortiOS, web authentication required using the explicit proxy.

Normal FortiOS authentication is IP address based. Users are authenticated according to their IP address and access is allowed or denied based on this IP address. On networks where authentication based on IP address will not work you can use the Transparent Web proxy to apply web authentication that is based on the user’s browser and not on their IP address. This authentication method allows you to identify individual users even if multiple users on your network are connecting to the FortiGate from the same IP address.

Using the Transparent proxy

To implement the Transparent proxy, go to System > Settings and scroll down to Operations Settings and set the inspection mode to Proxy.

Then go to System > Feature Visibility and enable Explicit Proxy.

Then go to Security Profiles > Proxy Options, edit a proxy options profile and under Web Options enable HTTP Policy Redirect.

Then go to Policy & Objects > IPv4 Policy and create or edit a policy that accepts traffic that you want to apply web authentication to. This can be a general policy that accepts many different types of traffic as long as it also accepts the web traffic that you want to apply web authentication to.

Select a Security Profile and select the Proxy Options profile that you enabled HTTP Policy Redirect for.

 

Using the Transparent proxy

Then go to Policy & Objects > Proxy Policy create a Transparent Proxy policy to accept the traffic that you want to apply web authentication to. Set the Proxy Type to Transparent Web. The incoming interface, outgoing interface, destination address, and schedule should either match or be a subset of the same options defined in the IPv4 policy. Addresses added to the Source must match or be a subset of the source addresses added to the IPv4 policy. You can also add the users to be authenticated by the transparent policy to the source field.

Select other transparent policy options as required.

More about the transparent proxy

The following changes are incorporated into Transparent proxy, some of which affect Explicit Web Proxy as well.

Flat policies

The split policy feature has been removed. This will make the explicit policy more like the firewall policy.

Authentication

The new authentication design is intended to separate authentication from authorization. Authentication has been moved into a new table in the FortiOS. This leaves the authorization as the domain of the explicit proxy policy.

Previously, if authentication was to be used:

  1. The policy would be classified as an identity based policy
  2. The policy would be split to add the authentication parameters
  3. The authentication method would be selected
  4. The user/group would be configured Now:

The user/group is configured in the proxy policy

  1. A new authentication rule is added
  2. This option refers to the authentication scheme
  3. The authentication scheme has the details of the authentication method The new authentication work flow for Transparent Proxy:

Toggle the transparent-http-policy match:

config firewall profile-protocol-options edit <profile ID> config http set http-policy <enable|disable>

If disabled, everything works like before. If enabled, the authentication is triggered differently.

  • http-policy work flow:
  • For transparent traffic, if there is a regular firewall policy match, when the Layer 7 check option is enabled, traffic will be redirected to WAD for further processing.
  • For redirected traffic, layer 7 policy (HTTP policy) will be used to determine how to do security checks.
  • If the last matching factor is down to user ID, then it will trigger a new module to handle the L7 policy user authentication.
  • Then propagate learned user information back to the system so that it can be used to match traffic for L4 policy.

New Proxy Type

There is a new subcategory of proxy in the proxy policy called Transparent Web. The old Web Proxy is now referred to as Explicit Web Proxy.

  • This is set in the firewall policy l It is available when the HTTP policy is enabled in the profile-protocol options for the firewall policy l This proxy type supports OSI layer 7 address matching.
  • This proxy type should include a source address as a parameter l Limitations:
  • It can be used for HTTPS traffic, if deep scanning is not used l It only supports SNI address matching, i.e. domain names
  • It does not support header types of address matching l It only supports SSO authentication methods, no active authentication methods.

IP pools support

Proxies are now supported on outgoing IP pools.

SOCKSv5

SOCKSv5 authentication is now supported for explicit proxies.

To configure:

config authentication rule edit <name of rule> set protocol socks end

Forwarding

Proxies support URL redirect/forwarding. This allows a non-proxy forwarding server to be assigned a rule that will redirect web traffic from one URL to another, such as redirecting traffic destined for youtube.com to restrict.youtube.com.

l A new option called “Redirect URL” has been added to the policy l Traffic forwarding by VIP is supported

Support for explicit proxy address objects & groups into IPv4 firewall policies

This would allow the selection of web filter policy, SSL inspection policy, and proxy policy based on source IP + destination (address|explicit proxy object|category|group of any of those). This enables things like “do full SSL interception on www.google.com, but not the rest of the Search Engines category”.

Support application service in the proxy based on HTTP requests.

The application service can be configured using the following CLI commands:

config firewall service custom edit <name of service> set explicit-proxy enable set app-service-type <disable|app-id|app-category> set app-category <application category ID, integer> set application <application ID, integer> end

CLI Changes:

New
Previous
config firewall explicit-proxy-policy
config firewall explicit-proxy-address
config firewall explicit-proxy-addrgrp
config firewall proxy-address

config firewall proxy-policy

config firewall proxy-addrgrp

 

config firewall explicit-proxy-policy edit <policy ID> set proxy web end
 

config firewall proxy-policy edit <policy ID> set proxy explicit-web end

Removals:

l “split-policy” from firewall explicit-proxy-policy.

The previous method to set up a split policy was:

config firewall explicit-proxy-policy

edit 1 set proxy web set identity-based enable config identity-based-policy edit 1 set schedule “always” set utm-status enable set users “guest”

set profile-protocol-options “default” next

end

next

end

  • “auth relative” from firewall explicit-proxy-policy

The following attributes have been removed from firewall explicit-proxy-policy:

  • identity-based l ip-based l active-auth-method l sso-auth-method l require-tfa

Moves:

users and groups from firewall explicit-proxy-policy identity-based-policy to

config firewall proxy-policy edit 1 set groups <Group name> set users <User name> end Additions:

authentication scheme

config authentication scheme

edit <name> set method [ntlm|basic|digest|form|negotiate|fsso|rsso|none]

  • ntlm – NTLM authentication. l basic – Basic HTTP authentication. l digest – Digest HTTP authentication. l form – Form-based HTTP authentication. l negotiate – Negotiate authentication. l fsso – FSSO authentication.
  • rsso – RADIUS Single Sign-On authentication. l none – No authentication. authentication setting

config authentication setting set active-auth-scheme <string> set sso-auth-scheme <string> set captive-portal <string>

set captive-portal-port <integer value from 1 to 65535>

  • active-auth-scheme – Active authentication method. l sso-auth-scheme – SSO authentication method. l captive-portal – Captive portal host name. l captive-portal-port – Captive portal port number.

authentication rule

config authentication rule

edit <name of rule>

set status [enable|disable] set protocol [http|ftp|socks] set srcaddr <name of address object> set srcaddr6 <name of address object> set ip-based [enable|disable] set active-auth-method <string> set sso-auth-method <string> set web-auth-cookie [enable|disable] set transaction-based [enable|disable] set comments

  • status – Enable/disable auth rule status. l protocol – set protocols to be matched l srcaddr /srcaddr6 – Source address name. [srcaddr or srcaddr6(web proxy only) must be set]. l ip-based – Enable/disable IP-based authentication. l active-auth-method – Active authentication method.
  • sso-auth-method – SSO authentication method (require ip-based enabled) l web-auth-cookie – Enable/disable Web authentication cookie. l transaction-based – Enable/disable transaction based authentication. l comments – Comment.

NGFW Policy Mode (371602)      NGFW policy mode and NAT


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiExplorer for iOS

FortiExplorer for iOS

A new iOS FortiExplorer app is available as of April 8, 2017.

FortExplorer for iOS is compatible with iPhone, iPad, and iPod Touch and supports configuration via REST API and display of FortiView and other security fabric components.

You can use FortiExplorer for iOS to perform most FortiOS configuration management tasks.

Advanced features will be available with the purchase of an add-on through the App Store. These paid features include the adding more than two devices and downloading firmware images from FortiCare.

With the release of FortiOS 5.6.1, FortiOS icons and colors are now exportable in the GUI shared project and FortiExplorer now uses these icons and colors. This change improves the icon colors only for the FortiExplorer GUI theme (seen only when accessing a web GUI page from within the FortiExplorer iOS app).

The images below offer a preview of a few of the new FortiExplorer iOS app’s screens.

FortiExplorer iOS, v 1.0 – Device Status                                        FortiExplorer iOS, v. 1.0 – Sources

FortiExplorer for iOS

FortiExplorer iOS, v.1.0 – Device Interfaces                                   FortiExplorer iOS, v.1.0 – Firmware

Using      Transparent


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

New Dashboard Features

New Dashboard Features

The FortiOS 5.6 Dashboard has a new layout with a Network Operations Center (NOC) view with a focus on alerts. Widgets are interactive; by clicking or hovering over most widgets, the user can get additional information or follow links to other pages.

Enhancements to the GUI dashboard and its widgets are:

  • Multiple dashboard support. l VDOM and global dashboards. l Updated resize control for widgets.
  • Notifications moved to the top header bar (moved existing dashboard notifications to the header and added additional ones).
  • Reorganization of Add Widget l New Host Scan Summary widget.
  • New Vulnerabilities Summary widget that displays endpoint vulnerability information much like the FortiClient Enterprise Management Server (EMS) summary. l Multiple bug fixes.

Features that were only visible through old dashboard widgets have been placed elsewhere in the GUI:

  • Restore configuration. l Configuration revisions. l Firmware management. l Enabling / disabling VDOMs. l Changing inspection mode.
  • Changing operation mode. l Shutdown / restart device. l Changing hostname. l Changing system time.

The following widgets are displayed by default:

  • System Information l Licenses l FortiCloud l Security Fabric l Administrators
  • CPU l Memory l Sessions l Bandwidth
  • Virtual Machine (on VMs and new to FortiOS 5.6.1) The following optional widgets are available:
  • Interface Bandwidth l Disk Usage l Security Fabric Risk l Advanced Threat Protection Statistics l Log Rate l Session Rate l Sensor Information l HA Status l Host Scan Summary
  • Vulnerabilities Summary l FortiView (new to FortiOS 5.6.1) The following widgets have been removed:
  • CLI Console l Unit Operation l Alert Message Console

System Information

Licenses

Hovering over the Licenses widget will cause status information (and, where applicable, database information) on the licenses to be displayed for FortiCare Support, IPS & Application Control, AntiVirus, Web Filtering, Mobile Malware, and FortiClient. The image below shows FortiCare Support information along with the registrant’s company name and industry.

Clicking in the Licenses widget will provide you with links to other pages, such as System > FortiGuard or contract renewal pages.

FortiCloud

This widget displays FortiCloud status and provides a link to activate FortiCloud.

Security Fabric

The Security Fabric widget is documented in the Security Fabric section of the What’s New document.

Administrators

This widget allows you to view which administrators are logged in and how many sessions are active. The link directs you to a page displaying active administrator sessions.

CPU

The real-time CPU usage is displayed for different time frames.

Memory

Real-time memory usage is displayed for different time frames. Hovering over any point on the graph displays percentage of memory used along with a timestamp.

Sessions

Bandwidth

Virtual Machine

FortiOS 5.6.1 introduces a VM widget.

  • License status and type. l CPU allocation usage. l License RAM usage. l VMX license information (if the VM supports VMX). l If the VM license specifies ‘unlimited’ the progress bar is blank.
  • If the VM is in evaluation mode, it is yellow (warning style) and the dashboard show evaluation days used.
  • Widget is shown by default in the dashboard of a FortiOS VM device. l Removed VM information from License widget at Global > Dashboard.
  • License info and Upload License button provided on page Global > System > FortiGuard.
  • Updated ‘Upload VM License’ page: l Added license RAM usage and VMX instance usage. l Replaced file input component.

 

FortiExplorer for iOS


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Security Fabric Audit and Fabric Score

Security Fabric Audit and Fabric Score

This chapter contains information about the Security Fabric Audit and Fabric Score, which together provide a method to continually monitor and improve your Security Fabric’s configuration.

What is the Security Fabric Audit?

The Security Fabric Audit is a feature on your FortiGate that allows you to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices that could be used to improve your network’s overall security and performance.

Why should you run a Security Fabric Audit?

Using the Security Fabric Audit helps you to tune your network’s configuration, deploy new hardware and/or software, and gain more visibility and control of your network. Also, by checking your Security Fabric Score, which is determined based on how many checks your network passes/fails during the Audit, you can have confidence that your network is getting more secure over time.

Running a Security Fabric Audit

The Security Fabric Audit can be found by going to Security Fabric > Audit. In the first step, all detected FortiGates are shown.

Running a Security Fabric Audit

In the second step, the audit is performed and a list of recommendations are shown. Two views are available: Failed or All Results. These views can be further segmented so that you view results from all FortiGates or just a specific unit.

In each view, a chart appears showing the results of individual checks. The following information is shown: the name and a description of the check, which FortiGate the check occurred on, the checks result on your overall security score, and any necessary recommendations.

If you hover the mouse over the Result for a check, you can get a breakdown on how this score was determined.

For more information about this, see “Security Fabric Score” on page 38.

Logging for the Security Fabric Audit

In Step Three of the Audit, Easy Apply recommendations are displayed and can be applied. By using Easy Apply, you can change the configuration of any FortiGate in the fabric.

For other recommendations, further action is required if you wish to follow the recommendation.

You can also view Audit recommendations for specific devices using the FortiView Topology consoles. If a recommendation is available for a device, a circle containing a number appears. The number shows how many recommendations are available, while the color of the circle shows the severity of the highest check that failed (red is critical, orange is high, yellow is medium, and blue is low).

Logging for the Security Fabric Audit

An event filter subtype is available for the Security Audit. Every time an audit is run, event logs are created on the root FortiGate that summarize the results of the audit, as well as details into the individual tests.

Security Fabric Audit Checks

Syntax

config log eventfilter set security-audit {enable | disable} (enabled by default)

end

Security Fabric Audit Checks

The Security Fabric Audit performs a variety of checks when analyzing your network. All checks are based on your current network configuration, using realtime monitoring. The Audit runs these checks across all FortiGates in the Security Fabric.

Firmware & Subscriptions

Easy Apply?
Recommendation
Run same version as root.
Register with FortiCare.
Renew subscriptions.
Upgrade FortiAP to recommended version.
Check
All FortiGates in the Security Fabric should run the same firmware version.
FortiGate should be registered with FortiCare.
All registered FortiGuard license subscriptions should be valid.
All FortiAPs should be running the latest firmware.
Severity
Critical
Critical
High
Low
Goal
Compatible Firmware
FortiCare Support
FortiGuard License Subscriptions
FortiAP Firmware Versions
No
No

No

No

FortiSwitch FirmwareAll FortiSwitches should beUpdate all FortiSwitches to use

LowNo

Versionsrunning the latest firmware.the latest firmware.

Internal Segmentation Firewall (ISFW)

Easy Apply?
Recommendation
Configure the interface role.
Enable device detection.
Check
All interfaces should be classified as either “LAN”, “WAN”, or “DMZ”.
Interfaces which are classified as “LAN” or “DMZ” should have device detection enabled.
Severity
High
High
Goal
Interface Classification
Device Discovery
Yes

Yes

 

Checks

Easy Apply?
Recommendation
Replace the device with a FortiGate.
Use FortiSwitch and FortiLink.
Install FortiAnalyzer for logging & reporting.
All servers should be moved to interfaces with role “DMZ”.
Review all IPv4 policies that haven’t been used in the last 90 days.
Check
No third party router or NAT devices should be detected in the network.
Non-FortiLink interfaces should not have multiple VLANs configured on them.
Logging and reporting should be done in a centralized place throughout the Security Fabric.
Servers should be placed behind interfaces classified as “DMZ”.
All IPv4 policies should be used.
Severity
Medium
Medium
High
Medium
Medium
Goal
Third Party Router & NAT Devices
VLAN Management
Centralized Logging & Reporting
LAN Segment
Unused Policies
No
No

No

No

No

Advanced Threat

Protection

High Suspicious files should be submitted to FortiSandbox or FortiSandbox Cloud for inspection. Configure AntiVirus profiles to send files to FortiSandbox or FortiSandbox Cloud for inspection. No

All discovered FortiAPs should     Authorize or disable

Unauthorized FortiAPs             Medium                                                                                                     Yes

be authorized or disabled.            unauthorized FortiAPs.

 

Unauthorized FortiSwitches
 

Medium
 

All discovered FortiSwitches should be authorized or disabled.
 

Authorize or disable unauthorized FortiSwitches.
 

Yes

Endpoint Compliance

Easy Apply?
Recommendation
Enable FortiTelemetry on “LAN” interfaces.
Register all devices via FortiClient.
Check
Interfaces which are classified as “LAN” should have

FortiTelemetry enabled.

All supported devices should be registered via FortiClient.
Severity
High
Medium
Goal
Endpoint Registration
FortiClient Protected
No

Yes

All registered FortiClientInvestigate non-compliant

FortiClient ComplianceMediumdevices should be compliantreason(s) for FortiClientNo with FortiClient profile.endpoints.

Security Fabric Audit Checks

 

Goal
FortiClient Vulnerabilities
 

Severity
Critical
 

Check
All registered FortiClient devices should have no critical vulnerabilities.
 

Recommendation
Have FortiClient fix the detected critical vulnerabilities.
 

Easy Apply?
No

Security Best Practices

Goal Severity Check Recommendation Easy Apply?
Yes
Enable HTTPS redirection globally.
Disable Telnet.
Interfaces which are classified as “WAN” should not allow

HTTP administrative access.

Interfaces which are classified as “WAN” should not allow

Telnet administrative access.

High
High
Unsecure Protocol – HTTP
Unsecure Protocol – Telnet

Yes

Valid HTTPS Certificate Administrative GUI Medium The administrative GUI should not be using a default built-in certificate. Acquire a certificate for your domain, upload it, and configure the administrative GUI to use it. No

Acquire a certificate for your

Valid HTTPS Certificate –                         SSL VPN should not be using a

Medium                                                      domain, upload it, and                 No

SSL VPN                                                default built-in certificate.

configure SSL VPN to use it.

 

Explicit Interface Policies
 

Low
 

Policies that allow traffic should not be using the “any” interface.
 

Change the policy to use a specific interface.
 

No

A password policy should beEnable a simple password

Admin Password PolicyMediumsetup for systempolicy for systemYes administrators.administrators.

Security Fabric Score

The Security Fabric Score widget has been added to the FortiGate Dashboard to give visibility into auditing trends. This widget uses information from the Security Fabric Audit to determine your score. Score can be positive or negative, with a higher score representing a more secure network.

Score is based on the number of checks failed and the severity of these checks. The weight for each severity level is as follows:

l Critical: 50 points l High: 25 points l Medium: 10 points l Low: 5 points

You get points for passing a test only when it passes for all FortiGates in your fabric. If this occurs, the score is calculated using this formula:

+Severity Weight x Secure FortiGate Multiplier

The Severity Weight is calculated as Severity divided by the number of FortiGates in the Fabric. The Secure FortiGate Multiplier is determined using logarithms and the number of FortiGates in the fabric. For example, if you have four FortiGates in your fabric that all pass the Compatible Firmware check, your score for each individual FortiGate is:

(50/4) x 1.292 = 16.2 points

If a test fails on any FortiGate in your Fabric, all other FortiGates that passed the check award 0 points. For the FortiGate the test failed on, the score is calculated using this formula:

-Severity Weight x Count

Count is the number of times the check failed during the audit. For example, if two critical FortiClient vulnerabilities are discovered during the Audit, your score for that check is:

-50 x 2 = -100 points

 

For checks that do not apply, your score does not change. For example, if you have no FortiAPs in the fabric, you will receive no points for the FortiAP Firmware Versions check.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!