Audit Dashboard
Security Posture Summary
A visual overview of security posture, rule-base composition, optimisation opportunities, and technical context before the detailed report sections begin.
Engineer Report View
Security Posture Overview
Critical
Critical issues were found and should be prioritised for remediation.
84
Findings
Severity Breakdown
Critical
3
High
29
Medium
2
Low
39
Informational
11
Outcome Distribution
500
Results
Pass / Fail / Info
Fail
73
Info
11
Pass
416
Report Information
Audited Device Information
Top Security Findings
CRITICAL
ANY/ANY/ANY Rules
2
Affected
CRITICAL
Administrator projectx lacks MFA or approved external authentication
1
Affected
HIGH
Avoid broad east-west segmentation rules
19
Affected
HIGH
Insecure Protocol Allowed
2
Affected
HIGH
Administrator projectx has no trusted host restrictions
1
Affected
Rule Base Analytics
25
Policies
Policy Actions
Allow
21
Deny
2
Disabled
2
Other
0
Allow Rules
21
Deny Rules
2
Disabled Rules
2
VDOMs
2
Interfaces
29
Policy Optimisation
Risk Categories
Audited Sections
Use these filters to include or exclude Global Configuration and individual VDOM scopes in this downloaded report.
Audit Results
| Severity | Finding | Results | Effort | |
|---|---|---|---|---|
| Global Rules | ||||
| ▼ | critical | Administrative account visibility is limited for projectx (super_admin_readonly)1/ADM-003 | 1 fail · 1 info · 0 pass | 1 hr |
Failing Checks (1) config system admin > projectx failDescription Administrator projectx is configured without MFA or approved external authentication. Remediation Require MFA for local administrator accounts or move them to a protected external authentication workflow. Example configuration:
config system admin
edit <admin-name>
set two-factor fortitoken
set fortitoken <token-serial>
next
end Effort: 0.5 hrs Informational Checks (1) Administrative account visibility is limited for projectx (super_admin_readonly) infoDescription The SSH account "projectx" only exposes a restricted FortiGate configuration view (super_admin_readonly). Read-only administrators cannot see other super_admin accounts. Checks against config system admin may therefore be incomplete. To audit all administrator accounts, use a full super_admin account or export the global configuration and run a manual upload audit. Remediation To audit all administrator accounts, connect with a full super_admin account that can view the complete global configuration, or export the global FortiGate configuration as a super_admin and run a manual upload audit. Effort: 0.5 hrs | ||||
| VDOM: root | ||||
| ▼ | critical | ANY/ANY/ANY Rules1/RH-001 | 1 fail · 22 pass | 1 hr |
Failing Checks (1) config firewall policy > 28 (LAN to Guest) failDescription Policies with source=any, destination=any, service=any completely bypass firewall protection. Remediation Restrict the source, destination, and service definitions so the rule is least-privilege.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 1 hr | ||||
| VDOM: wan-vdom | ||||
| ▼ | critical | ANY/ANY/ANY Rules1/RH-001 | 1 fail · 1 pass | 1 hr |
Failing Checks (1) config firewall policy > 1 (Root VDOM to Internet) failDescription Policies with source=any, destination=any, service=any completely bypass firewall protection. Remediation Restrict the source, destination, and service definitions so the rule is least-privilege.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 1 hr | ||||
| Global Rules | ||||
| ▼ | high | Administrative account visibility is limited for projectx (super_admin_readonly)1/ADM-001 | 1 fail · 1 info · 1 pass | 1 hr |
Failing Checks (1) config system admin > projectx failDescription Administrator projectx does not restrict login sources with trusted hosts. Remediation Restrict each administrator account to one or more approved management hosts or subnets. Example configuration:
config system admin
edit <admin-name>
set trusthost1 192.0.2.10 255.255.255.255
set trusthost2 198.51.100.0 255.255.255.0
next
end Effort: 0.5 hrs Informational Checks (1) Administrative account visibility is limited for projectx (super_admin_readonly) infoDescription The SSH account "projectx" only exposes a restricted FortiGate configuration view (super_admin_readonly). Read-only administrators cannot see other super_admin accounts. Checks against config system admin may therefore be incomplete. To audit all administrator accounts, use a full super_admin account or export the global configuration and run a manual upload audit. Remediation To audit all administrator accounts, connect with a full super_admin account that can view the complete global configuration, or export the global FortiGate configuration as a super_admin and run a manual upload audit. Effort: 0.5 hrs | ||||
| ▼ | high | Enforce a strong administrator password policy1/ADM-004 | 1 fail · 0 pass | 0.5 hrs |
Failing Checks (1) config system password-policy failDescription The administrator password policy is disabled or does not enforce the expected minimum complexity. Remediation Enable a strong password policy for administrator accounts. Example configuration:
config system password-policy
set status enable
set apply-to admin-password
set minimum-length 14
set min-upper-case-letter 1
set min-lower-case-letter 1
set min-number 1
set min-non-alphanumeric 1
set reuse-password disable
end Effort: 0.5 hrs | ||||
| ▼ | high | The device exposes HTTP or Telnet management on interfaces1/ADM-008 | 1 fail · 0 pass | 0.3 hrs |
Failing Checks (1) config system interface > internal (http) failDescription The device allows insecure management protocols http on 1 interfaces. Examples: internal (http). Remediation Remove HTTP and Telnet from interface administrative access and leave only secure protocols that are required. Example configuration:
config system interface
edit <interface-name>
set allowaccess https ssh ping
next
end Effort: 0.3 hrs | ||||
| ▼ | high | Allow only TLS 1.2 or higher for HTTPS administration1/CRY-001 | 1 fail · 0 pass | 0.5 hrs |
Failing Checks (1) config system global failDescription HTTPS administration still allows TLS 1.0 or TLS 1.1. Remediation Restrict administrative HTTPS access to TLS 1.2 or newer only.
Example configuration:
config system global
set admin-https-ssl-versions tlsv1-2 tlsv1-3
set ssl-min-proto-version tlsv1-2
end Effort: 0.5 hrs | ||||
| ▼ | high | Persistent logging is not enabled1/LOG-001 | 1 fail · 0 pass | 0.3 hrs |
Failing Checks (1) Persistent logging is not enabled failDescription No persistent logging destination is enabled for the FortiGate. Remediation Enable logging to FortiAnalyzer, syslog, disk, or another approved retained logging destination.
Example configuration:
config log syslogd setting
set status enable
set server "192.0.2.50"
end Effort: 0.3 hrs | ||||
| ▼ | high | No Administrator Audit Logging1/LOG-006 | 1 fail · 0 pass | 0.5 hrs |
Failing Checks (1) No Administrator Audit Logging failDescription Administrator activity and configuration changes are not being captured by central or local audit mechanisms. Remediation Enable administrator audit logging locally and/or forward administrator events to syslog or FortiAnalyzer.
Example configuration:
config system global
set cli-audit-log enable
set revision-backup-on-logout enable
end Effort: 0.5 hrs | ||||
| ▼ | high | No High Availability1/MISC-003 | 1 fail · 0 pass | 4 hrs |
Failing Checks (1) config system ha failDescription High availability is not configured. Remediation Deploy or validate a FortiGate HA pair for critical security boundaries.
Example configuration:
config system ha
set mode a-p
set group-name "fg-ha-pair"
set hbdev "port3" 100
end Effort: 4 hrs | ||||
| VDOM: root | ||||
| ▼ | high | Insecure Protocol Allowed1/FW-003 | 2 fail · 21 pass | 1 hr |
Failing Checks (2) config firewall policy > 32 (Webserver Load Balancer) failDescription The policy allows insecure or unencrypted protocols. Remediation Replace insecure protocols with encrypted alternatives or restrict them to the smallest approved scope.
Example configuration:
config firewall policy
edit <policy-id>
set service "HTTPS"
next
end Effort: 0.5 hrs config firewall policy > 24 (Emby Access) failDescription The policy allows insecure or unencrypted protocols. Remediation Replace insecure protocols with encrypted alternatives or restrict them to the smallest approved scope.
Example configuration:
config firewall policy
edit <policy-id>
set service "HTTPS"
next
end Effort: 0.5 hrs | ||||
| ▼ | high | Avoid broad east-west segmentation rules1/SEG-001 | 17 fail · 6 pass | 8.5 hrs |
Failing Checks (17) config firewall policy > 30 (Internet Access (No SSL Insp)) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 20 (Internal Internet Access (SSL Insp)) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 1 (Internal Internet Access (no SSL)) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 28 (LAN to Guest) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 21 (LAN to DMZ Access) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 22 (Plex/Emby to TVBox for streaming) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 19 (DMZ Internet Access (no SSL)) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 16 (Guest Internet Access) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 33 (Guest to DMZ) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 27 (Cameras > Phone) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 7 (SSLVPN LAN Access) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 8 (SSLVPN Internet Access) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 14 (IPSEC VPN LAN Access) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 15 (IPSEC VPN Internet Access) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 32 (Webserver Load Balancer) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 25 (Plex Access) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 26 (PS4 Access) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs | ||||
| ▼ | high | VPN phase2-interface IPSEC_VPN_USERS uses all-to-all traffic selectors1/VPN-004 | 1 fail · 0 pass | 0.6 hrs |
Failing Checks (1) config vpn ipsec phase2-interface > IPSEC_VPN_USERS failDescription VPN phase2-interface IPSEC_VPN_USERS uses all-to-all traffic selectors for both local and remote networks. Remediation Restrict phase 2 selectors to the exact source and destination networks that need to communicate. Example configuration:
config vpn ipsec phase2-interface
edit <phase2-name>
set src-subnet 10.10.10.0 255.255.255.0
set dst-subnet 192.0.2.0 255.255.255.0
next
end Effort: 0.6 hrs | ||||
| VDOM: wan-vdom | ||||
| ▼ | high | Avoid broad east-west segmentation rules1/SEG-001 | 2 fail · 0 pass | 1 hr |
Failing Checks (2) config firewall policy > 1 (Root VDOM to Internet) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs config firewall policy > 2 (Internet to Root VDOM VIPs) failDescription The policy creates broad east-west access between internal zones. Remediation Replace broad internal-zone access with dedicated address objects, narrower services, and only the required segmentation paths.
Example configuration:
config firewall policy
edit <policy-id>
set srcaddr "<approved-source-object>"
set dstaddr "<approved-destination-object>"
set service "<approved-service-group>"
next
end Effort: 0.5 hrs | ||||
| Global Rules | ||||
| ▼ | medium | HTTPS administration uses the default port1/ADM-006 | 1 fail · 0 pass | 0.2 hrs |
Failing Checks (1) config system global failDescription HTTPS administrative access is still using the default TCP port 443. Remediation Move GUI administration to a non-default port and document the approved management access path.
Example configuration:
config system global
set admin-sport 8443
end Effort: 0.2 hrs | ||||
| ▼ | medium | SSH administration uses the default port1/ADM-007 | 1 fail · 0 pass | 0.2 hrs |
Failing Checks (1) config system global failDescription SSH administrative access is still using the default TCP port 22. Remediation Move CLI administration to a non-default SSH port and keep that path limited to approved management sources.
Example configuration:
config system global
set admin-ssh-port 2222
end Effort: 0.2 hrs | ||||
| ▼ | low | Enable automatic configuration backup before firmware upgrades1/OPS-004 | 1 fail · 0 pass | 0.2 hrs |
Failing Checks (1) config system global failDescription Automatic configuration backup before firmware upgrades is disabled. Remediation Enable automatic configuration backup before firmware upgrades so the device keeps a restorable pre-upgrade snapshot. Example:
config system global
set revision-image-auto-backup enable
end Effort: 0.2 hrs | ||||
| VDOM: root | ||||
| ▼ | low | VDOM root has enabled firewall policies without comments1/FW-002 | 5 fail · 0 pass | 0.4 hrs |
Failing Checks (5) config firewall policy > 1 (Internal Internet Access (no SSL)) failDescription VDOM root has 19 enabled firewall policies without comments out of 21 enabled policies reviewed. Examples: policy 1 (Internal Internet Access (no SSL)); policy 7 (SSLVPN LAN Access); policy 8 (SSLVPN Internet Access); policy 14 (IPSEC VPN LAN Access); policy 15 (IPSEC VPN Internet Access). Remediation Example configuration:
config firewall policy
edit <policy-id>
set comments "Business purpose / owner / review context"
next
end Effort: 0.1 hrs config firewall policy > 7 (SSLVPN LAN Access) failDescription VDOM root has 19 enabled firewall policies without comments out of 21 enabled policies reviewed. Examples: policy 1 (Internal Internet Access (no SSL)); policy 7 (SSLVPN LAN Access); policy 8 (SSLVPN Internet Access); policy 14 (IPSEC VPN LAN Access); policy 15 (IPSEC VPN Internet Access). Remediation Example configuration:
config firewall policy
edit <policy-id>
set comments "Business purpose / owner / review context"
next
end Effort: 0.1 hrs config firewall policy > 8 (SSLVPN Internet Access) failDescription VDOM root has 19 enabled firewall policies without comments out of 21 enabled policies reviewed. Examples: policy 1 (Internal Internet Access (no SSL)); policy 7 (SSLVPN LAN Access); policy 8 (SSLVPN Internet Access); policy 14 (IPSEC VPN LAN Access); policy 15 (IPSEC VPN Internet Access). Remediation Example configuration:
config firewall policy
edit <policy-id>
set comments "Business purpose / owner / review context"
next
end Effort: 0.1 hrs config firewall policy > 14 (IPSEC VPN LAN Access) failDescription VDOM root has 19 enabled firewall policies without comments out of 21 enabled policies reviewed. Examples: policy 1 (Internal Internet Access (no SSL)); policy 7 (SSLVPN LAN Access); policy 8 (SSLVPN Internet Access); policy 14 (IPSEC VPN LAN Access); policy 15 (IPSEC VPN Internet Access). Remediation Example configuration:
config firewall policy
edit <policy-id>
set comments "Business purpose / owner / review context"
next
end Effort: 0.1 hrs config firewall policy > 15 (IPSEC VPN Internet Access) failDescription VDOM root has 19 enabled firewall policies without comments out of 21 enabled policies reviewed. Examples: policy 1 (Internal Internet Access (no SSL)); policy 7 (SSLVPN LAN Access); policy 8 (SSLVPN Internet Access); policy 14 (IPSEC VPN LAN Access); policy 15 (IPSEC VPN Internet Access). Remediation Example configuration:
config firewall policy
edit <policy-id>
set comments "Business purpose / owner / review context"
next
end Effort: 0.1 hrs | ||||
| ▼ | low | Shadowed firewall policy1/RH-004 | 15 fail · 8 pass | 7.5 hrs |
Failing Checks (15) config firewall policy failDescription This policy is shadowed by earlier policy ID . The earlier policy matches the same or broader source interface, destination interface, source address, destination address, and service criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy is shadowed by earlier policy ID . The earlier policy matches the same or broader source interface, destination interface, source address, destination address, and service criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy is shadowed by earlier policy ID . The earlier policy matches the same or broader source interface, destination interface, source address, destination address, and service criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy is shadowed by earlier policy ID . The earlier policy matches the same or broader source interface, destination interface, source address, destination address, and service criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy is shadowed by earlier policy ID . The earlier policy matches the same or broader source interface, destination interface, source address, destination address, and service criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy is shadowed by earlier policy ID . The earlier policy matches the same or broader source interface, destination interface, source address, destination address, and service criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy duplicates earlier policy ID . The earlier policy has the same action and matches the same or broader criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy duplicates earlier policy ID . The earlier policy has the same action and matches the same or broader criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy duplicates earlier policy ID . The earlier policy has the same action and matches the same or broader criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy duplicates earlier policy ID . The earlier policy has the same action and matches the same or broader criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy duplicates earlier policy ID . The earlier policy has the same action and matches the same or broader criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy duplicates earlier policy ID . The earlier policy has the same action and matches the same or broader criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy duplicates earlier policy ID . The earlier policy has the same action and matches the same or broader criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy duplicates earlier policy ID . The earlier policy has the same action and matches the same or broader criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs config firewall policy failDescription This policy is shadowed by earlier policy ID . The earlier policy matches the same or broader source interface, destination interface, source address, destination address, and service criteria. Remediation Example configuration:
config firewall policy
edit <policy-id>
set status disable
next
end Effort: 0.5 hrs | ||||
| ▼ | low | No Schedule Restrictions1/RH-008 | 19 fail · 4 pass | 9.5 hrs |
Failing Checks (19) config firewall policy > 30 (Internet Access (No SSL Insp)) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 20 (Internal Internet Access (SSL Insp)) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 1 (Internal Internet Access (no SSL)) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 28 (LAN to Guest) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 21 (LAN to DMZ Access) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 31 (Test rule for backend svr >nas SCP) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 22 (Plex/Emby to TVBox for streaming) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 19 (DMZ Internet Access (no SSL)) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 16 (Guest Internet Access) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 33 (Guest to DMZ) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 27 (Cameras > Phone) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 7 (SSLVPN LAN Access) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 8 (SSLVPN Internet Access) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 14 (IPSEC VPN LAN Access) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 15 (IPSEC VPN Internet Access) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 32 (Webserver Load Balancer) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 24 (Emby Access) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 25 (Plex Access) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 26 (PS4 Access) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs | ||||
| VDOM: wan-vdom | ||||
| ▼ | low | VDOM wan-vdom has enabled firewall policies without comments1/FW-002 | 2 fail · 0 pass | 0.2 hrs |
Failing Checks (2) config firewall policy > 1 (Root VDOM to Internet) failDescription VDOM wan-vdom has 2 enabled firewall policies without comments out of 2 enabled policies reviewed. Examples: policy 1 (Root VDOM to Internet); policy 2 (Internet to Root VDOM VIPs). Remediation Example configuration:
config firewall policy
edit <policy-id>
set comments "Business purpose / owner / review context"
next
end Effort: 0.1 hrs config firewall policy > 2 (Internet to Root VDOM VIPs) failDescription VDOM wan-vdom has 2 enabled firewall policies without comments out of 2 enabled policies reviewed. Examples: policy 1 (Root VDOM to Internet); policy 2 (Internet to Root VDOM VIPs). Remediation Example configuration:
config firewall policy
edit <policy-id>
set comments "Business purpose / owner / review context"
next
end Effort: 0.1 hrs | ||||
| ▼ | low | No Schedule Restrictions1/RH-008 | 2 fail · 0 pass | 1 hr |
Failing Checks (2) config firewall policy > 1 (Root VDOM to Internet) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs config firewall policy > 2 (Internet to Root VDOM VIPs) failDescription Business-hours-only services allowed 24/7 without time-based restrictions Remediation Apply a schedule to restrict this policy to the required operating window.
Example configuration:
config firewall policy
edit <policy-id>
set schedule "business-hours"
next
end Effort: 0.5 hrs | ||||
| Global Rules | ||||
| ▼ | info | Administrative account visibility is limited for projectx (super_admin_readonly)1/ADM-002 | 0 fail · 1 info · 1 pass | 0.5 hrs |
Informational Checks (1) Administrative account visibility is limited for projectx (super_admin_readonly) infoDescription The SSH account "projectx" only exposes a restricted FortiGate configuration view (super_admin_readonly). Read-only administrators cannot see other super_admin accounts. Checks against config system admin may therefore be incomplete. To audit all administrator accounts, use a full super_admin account or export the global configuration and run a manual upload audit. Remediation To audit all administrator accounts, connect with a full super_admin account that can view the complete global configuration, or export the global FortiGate configuration as a super_admin and run a manual upload audit. Effort: 0.5 hrs | ||||
| ▼ | info | Administrative account visibility is limited for projectx (super_admin_readonly)1/ADM-010 | 0 fail · 1 info · 1 pass | 0.5 hrs |
Informational Checks (1) Administrative account visibility is limited for projectx (super_admin_readonly) infoDescription The SSH account "projectx" only exposes a restricted FortiGate configuration view (super_admin_readonly). Read-only administrators cannot see other super_admin accounts. Checks against config system admin may therefore be incomplete. To audit all administrator accounts, use a full super_admin account or export the global configuration and run a manual upload audit. Remediation To audit all administrator accounts, connect with a full super_admin account that can view the complete global configuration, or export the global FortiGate configuration as a super_admin and run a manual upload audit. Effort: 0.5 hrs | ||||
| ▼ | info | Review Change Management Process1/MISC-001 | 0 fail · 1 info · 0 pass | — |
Informational Checks (1) Review Change Management Process infoDescription Change-management evidence such as approvals, tickets, and CAB records cannot be verified from the firewall configuration export alone. Remediation Review your change-management records to confirm firewall changes are linked to approved requests.
Example configuration:
config system global
set revision-backup-on-logout enable
end
config firewall policy
edit <policy-id>
set comments "Change ticket CHG-12345 / owner / review date"
next
end | ||||
| ▼ | info | No Detected Config Backup Method1/MISC-002 | 0 fail · 1 info · 0 pass | — |
Informational Checks (1) config system central-management infoDescription Automated backup scheduling cannot be fully verified from the firewall configuration export alone. Remediation Confirm scheduled configuration backups in FortiManager, automation stitches, or your external backup platform.
Example configuration:
config system auto-script
edit "nightly-config-backup"
set interval 86400
set repeat 0
set script "execute backup config ftp backup.conf 192.0.2.50 backupuser <password>"
next
end | ||||
| ▼ | info | Perform Scheduled Rule Reviews1/MISC-005 | 0 fail · 1 info · 0 pass | — |
Informational Checks (1) Perform Scheduled Rule Reviews infoDescription Policy review cadence cannot be proven from the firewall configuration export alone. Remediation Review your governance records to confirm rule reviews are performed on schedule.
Example configuration:
config firewall policy
edit <policy-id>
set comments "Last reviewed 2026-06-06 / next review 2026-12-06 / owner"
next
end | ||||
| VDOM: root | ||||
| ▼ | info | VDOM root contains duplicate address objects1/OBJ-003 | 0 fail · 1 info · 0 pass | 0.1 hrs |
Informational Checks (1) config firewall address > wildcard.dropbox.com, g-dropbox.com => *.dropbox.com infoDescription VDOM root contains 1 duplicate address object groups that resolve to the same effective values. Examples: wildcard.dropbox.com, g-dropbox.com => *.dropbox.com. Remediation Example configuration:
config firewall address
edit "canonical-address-object"
set subnet 192.0.2.0 255.255.255.0
next
end Effort: 0.1 hrs | ||||
| ▼ | info | VDOM root contains duplicate custom service objects1/OBJ-004 | 0 fail · 3 info · 0 pass | 0.2 hrs |
Informational Checks (3) config firewall service custom > FTP, FTP_GET, FTP_PUT tcp:21 infoDescription VDOM root contains 3 duplicate custom service object groups with equivalent protocol and port definitions. Examples: FTP, FTP_GET, FTP_PUT tcp:21; Internet-Locator-Service, LDAP tcp:389; RLOGIN, RSH tcp:512-1023. Remediation Example configuration:
config firewall service custom
edit "canonical-service-object"
set tcp-portrange 443
next
end Effort: 0.1 hrs config firewall service custom > Internet-Locator-Service, LDAP tcp:389 infoDescription VDOM root contains 3 duplicate custom service object groups with equivalent protocol and port definitions. Examples: FTP, FTP_GET, FTP_PUT tcp:21; Internet-Locator-Service, LDAP tcp:389; RLOGIN, RSH tcp:512-1023. Remediation Example configuration:
config firewall service custom
edit "canonical-service-object"
set tcp-portrange 443
next
end Effort: 0.1 hrs config firewall service custom > RLOGIN, RSH tcp:512-1023 infoDescription VDOM root contains 3 duplicate custom service object groups with equivalent protocol and port definitions. Examples: FTP, FTP_GET, FTP_PUT tcp:21; Internet-Locator-Service, LDAP tcp:389; RLOGIN, RSH tcp:512-1023. Remediation Example configuration:
config firewall service custom
edit "canonical-service-object"
set tcp-portrange 443
next
end Effort: 0.1 hrs | ||||
| VDOM: wan-vdom | ||||
| ▼ | info | VDOM wan-vdom contains duplicate address objects1/OBJ-003 | 0 fail · 1 info · 0 pass | 0.1 hrs |
Informational Checks (1) config firewall address > wildcard.dropbox.com, g-dropbox.com => *.dropbox.com infoDescription VDOM wan-vdom contains 1 duplicate address object groups that resolve to the same effective values. Examples: wildcard.dropbox.com, g-dropbox.com => *.dropbox.com. Remediation Example configuration:
config firewall address
edit "canonical-address-object"
set subnet 192.0.2.0 255.255.255.0
next
end Effort: 0.1 hrs | ||||
| ▼ | info | VDOM wan-vdom contains duplicate custom service objects1/OBJ-004 | 0 fail · 3 info · 0 pass | 0.2 hrs |
Informational Checks (3) config firewall service custom > FTP, FTP_GET, FTP_PUT tcp:21 infoDescription VDOM wan-vdom contains 3 duplicate custom service object groups with equivalent protocol and port definitions. Examples: FTP, FTP_GET, FTP_PUT tcp:21; Internet-Locator-Service, LDAP tcp:389; RLOGIN, RSH tcp:512-1023. Remediation Example configuration:
config firewall service custom
edit "canonical-service-object"
set tcp-portrange 443
next
end Effort: 0.1 hrs config firewall service custom > Internet-Locator-Service, LDAP tcp:389 infoDescription VDOM wan-vdom contains 3 duplicate custom service object groups with equivalent protocol and port definitions. Examples: FTP, FTP_GET, FTP_PUT tcp:21; Internet-Locator-Service, LDAP tcp:389; RLOGIN, RSH tcp:512-1023. Remediation Example configuration:
config firewall service custom
edit "canonical-service-object"
set tcp-portrange 443
next
end Effort: 0.1 hrs config firewall service custom > RLOGIN, RSH tcp:512-1023 infoDescription VDOM wan-vdom contains 3 duplicate custom service object groups with equivalent protocol and port definitions. Examples: FTP, FTP_GET, FTP_PUT tcp:21; Internet-Locator-Service, LDAP tcp:389; RLOGIN, RSH tcp:512-1023. Remediation Example configuration:
config firewall service custom
edit "canonical-service-object"
set tcp-portrange 443
next
end Effort: 0.1 hrs | ||||
Implementation Guidance
Testing Requirements
Validate remediation in a non-production environment before deployment and confirm that required traffic still functions after changes.
Change Management
Follow change control procedures, retain rollback plans, and document stakeholder approvals for firewall modifications.
Prioritization Approach
- Address Critical verified findings within 48–72 hours.
- Plan High verified remediation within 1–2 weeks.
- Schedule Medium priority fixes in the next maintenance window.
- Bundle Low priority items into routine improvement cycles.
- Review lower-priority findings with engineering and audit stakeholders.
